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Let's talk OOBI 


OOBI, or Out-of-Band Infrastructure, is Cyclades’ unique approach to enhance your IT infrastructure 
management capabilities. It integrates management of serial ports, KVM, KVM over IP, intelligent 
power distribution and IPMI devices in a secure, consolidated management solution for remote IT 
infrastructure administration. It complements system management tools like HP OpenView, IBM’ 
livoli", BMC PAIROL’ and CA Unicenter”. 


An OOBI can cut costs and boost operational efficiency and productivity by minimizing the need for 


redundant equipment and personnel and, in most cases, eliminating the need for crash cart runs or 
remote visits to restore IT assets that have become disconnected from your production infrastructure. 


Next-Generation IT Infrastructure Management 


Systems Administrator 


Systems / Network Management 
008; manager 


-_ p- 


Console server 
KVM over IP / 


= 


KVM gnalod _—— 


Intern; 
"elligeny power 


PM) pM —_ 


Production Infrastructure 


Over 85% of Fortune 100 choose Cyclades. —_ 
ee 


1.888.cyclades - sales@cyclades.com 


her trademarks and product images are property of their resp 


Polywell First Class Linux Systems 


The Most Reliable 64-bit Computing 


2200A 1U 1TB Dual Opteron 


Linux Appliance PCs < 


* Dual AMD® Opteron™ 242 64-bit Processors <i, 
* 2GB 400MHz ECC DDR (Expandable to 16GB) * Custom Made Odd Size Chassis 4 
* 1TB (4x250G) SATA HD 7200RPM 8M * AC or DC Power Supply 3 
* 1x PCI-X 133MHz Sol * Low Power Voltage Processor 3s | —=, 
* On-board Dual Gigabit Etheme * or High Performance AMD® Opteron™ Processor eg, = 
* On-board ATI Graphics * Diskless or Flash OS Boot Drive of 5 —— 
* Slim CD-ROM Drive, Optional DVD-RW or CDRW * Swapable Hard Drive, CD-ROM, FDD ry St of ° 
* Slim Floppy Drive * Integrated Graphics, Ethernet, USB rr ~~ 
+ 1U 24" Depth Rack Chassis with 460W P/S * Optional LCD LED Control Module oe : : 
* 4x Swappable Drive Bays (SATA or SCSI) « 1S2 Audio, MPEG2/4 Hardware Video —« BH 
+ Supports Linux, FreeBSD or Windows : 7 4 pce rie Ports 
. i i + We have over 18 years xperience 
peri pher sigs Order# 2200824205A i Sebtnp Be Dialed yer PG . 
OEM Appliance starts at 


Kiros, Thin Client, Networking Appliance, 
$2,550 $299 


8422B 2U 4-Way Opteron 1U Power Saving ISP Server 


* Quad AMD® Opteron™ 846 64-bit Processors 

4GB 400MHz ECC DDR (Expandable to 32GB) = - 
2x 133, 2 x 66MHz PCI-X, 1x32bit PC! Slots 
Dual Gigabit Ethernet, U320 SCSI Controller 
Dual Hot-Swap 36GB SCSI Drive for Mirror 

Slim CD-ROM Drive, Optional DVD-RW or CDRW 
2U 28" Depth Rack Chassis with 7OOW PFC P/S 


oe Pea Salles Order# 8422B846LJ05B 
Supports Linux, FreeBSD or Windows 


Custom Configuration Available 
Please call for other Options $7 ] 499 


AMD® Sempron™ or Opteron™ Processor 
512M Memory 

80GB Hard Drive 

10/100Mbit Ethernet 

We provide Drive Image Service 

1U 14" Short Rack, allow 2 x 1U per Rack 
Low Power Usage to save your Data Center Cost 
Perfect Entry Level ISP Server or Appliance System 
IDE Flash Drive is available 

Supports Linux, FreeBSD or Windows 

Custom Configuration is Available 

Please call us to discuss your specification 


Order# 6231U800ISP02E 


starts at $399 


SANAS 4U 9.6TB Storage 


SAN Ready NAS Storage Server 

with upto 24 x 400GB Hard Drive 

Dual Processor FreeBSD/Linux NAS Appliance 
* upto 4 x 2G Fibre Channel Ports for SAN 

upto 8 Gigabit Ethernet Ports for NAS 

* Supports UNIX, Linux, FreeBSD, Windows 


. : 24 x Hot Swap Drive Bays for SATA or SCSI Drives 
* 21B 8 x 250GB SATA 7200RPM Hard Drive 8M 950W 3+1 Redundant Hot Swap Power Supply 
* CDRW-DVD Combo Drive, Floppy 


8400B 4U 2TB 4Way Opteron 


* Quad AMD® Opteron™ 846 64-bit Processors 
with Hyper Transport Technology 
4GB 400MHz ECC DDR (Expandable to 32GB) 
2 x 133, 2 x 66MHz PCI-X, 1x32bit PC! Slots 
Dual Gigabit Ethernet, On-board AT| Graphics 
8-Channel SATA RAID-5 PCI-X Controller 


Custom Configuration is available Order# SANAS6TBLJOSF 
Optional Tape Back Up, Media Reader 


Remote Support Available 
4U 26" Depth Rack Chassis Order# 8400B46LJOSC 6TB NAS starts at $7 5 999 
950Watt 3+1 Redundant Hot Swap Power Supply 
Supports Linux, FreeBSD or Windows 8 ] 888 
Custom Configuration Available 


Please call for other Options A M D 
18 Years of Customer Satisfaction 888 ' 7 6 5 ' 9686 —=s 


5-Year Warranty, Industry's Longest = OLY 
First Class Customer Service Opteron www.Polywell.com/us/LJ SYSTEMS 


AMD64 architecture reduces I/O bottlenecks, increases bandwidth, and reduces memory latency. Critical 
information gets to those who need it quickly and efficiently. 


Polywell Computers, Inc 1461 San Mateo Ave. South San Francisco, CA 94080 650.583.7222 Fax: 650.583.1974 


AMD and ATHLON are trademarks of Advanced Micro Devices, Inc.. Quadro, nForce and Nvidia are trademarks of NVIDIA Corporation. All other brands, names are trademarks of their respective companies. 


COVER STORY 


50 BELLY DANCE AND FREE SOFTWARE 
Whether you dance, play in a band, read poetry or run robot battles, it seems 
like getting the word out about your upcoming gigs is a full-time job by itself. 
Dawn Devine and Michael Baxter cover some tools to make your promotional 
projects a little easier. Keep your photos organized, edit them to the format you 
need and lay out your materials, all on Linux. 


FEATURES 


46 INFINIBAND AND LINUX 
If 120Gb/s isn’t fast enough for you, 
try receiving data without the CPU 
doing a thing. 
ROLAND DREIER 

50 BELLY DANCE AND FREE 
SOFTWARE 
Publicize your next event with a 
good-looking flyer or poster. Scribus 
works great, even if you can’t dance. 
DAWN DEVINE AND MICHAEL 
BAXTER 


56 FD.O: BUILDING THE 
DESKTOP IN THE RIGHT 
PLACES 
The designers of the X Window 
System must have done something 
right. Here’s how X, the OS and the 
desktop are growing together to 
meet user needs. 

MARCO FIORETTI 


INDEPTH 


72 VIA PADLOCK—WICKED- 
FAST ENCRYPTION 
Add hardware support for a com- 
mon task and measure the perfor- 
mance improvements. 
MICHAL LUDVIG 

78 WRITING A GCC FRONT END 
Wow, it’s practically a whole new 
compiler. Put the power of GCC to 
work behind your new language. 
TOM TROMEY 

82 LINUX IN THE CLASSROOM: 
AN EXPERIENCE WITH 
LINUX AND OPEN-SOURCE 
SOFTWARE IN AN 
EDUCATIONAL 
ENVIRONMENT 
JOE RUFFOLO AND RON TERRY 

86 TEN MYSTERIES OF 
ABOUT:CONFIG 
If youre catching Firefox fever, but 
the browser isn’t quite right, you 
might just find the tweak you need 
in this “secret” configuration tool. 
NIGEL MCFARLANE 


90 BUILDING A 
BIOINFORMATICS 
SUPERCOMPUTING CLUSTER 
It's easier than ever to turn commodity 
hardware into a high-performance 
computing project. Here, Linux enables 
searching a lot of DNA sequences fast. 
JOSH STROSCHEIN, DOUG 
JENNEWEIN AND JOE REYNOLDSON 


38 THINGS YOU SHOULD 
NEVER DO IN THE KERNEL 
Don't read files from a kernel module. 
Well, if you must, read on. 

GREG KROAH-HARTMAN 


TOOLBOX 


as 
14 AT THE FORGE 


unbird and iCalendar 
EUVEN M. LERNER 


22 KERNEL KORNER 
. KRISHNAKUMAR 
28 COOKING WITH LINUX 


S 
R 
K 
Kprobes—A Kernel Debugger 
R 
Cc 
C 


rossing Platforms 
MARCEL GAGNE 


32 PARANOID PENGUIN 
Securing Your WLAN with WPA and 
FreeRADIUS, Part Il 
MICK BAUER 


COLUMNS 


42 LINUX FOR SUITS 
Inspired 
DOC SEARLS 
96 EOF 
If You Don't Believe in DRM, It Can't 
Hurt You 
DON MARTI 


REVIEWS 


_—— 
66 CYCLADES ALTERPATH 
MANAGER E200 
MATTHEW HOSKINS 
70 THE OFFICIAL BLENDER 2.3 
GUIDE 
JEFFREY BIANCHINE 


COVER PHOTO: MICHAEL BAXTER 


JOURNAL 


MAY 2005 ISSUE 133 


DEPARTMENTS 


4 FROM THE EDITOR 

G (LETTERS 

12 UPFRONT 

60 NEW PRODUCTS 

62 BEST OF TECHNICAL 
SUPPORT 

81 ADVERTISERS INDEX 

95 MARKETPLACE 


~4 | 


(FD te tee tee eg ow Dewe Eure Semeye fiers Sowt new ol@is 
Lica 


OF PA ST Ome CCI oe Oe Tn 
Scare OF sree prey 


Need to do a poster or flyer? Bring your layout 
ideas to print with Scribus (page 50). 


NEXT MONTH 
INTRANET 


If you've been following the kernel 
changelogs, you'll notice new support 
for ATA over Ethernet. It really is 
what it sounds like—an inexpensive 
sing standard Ethernet hard- 
ware. Ed Cashin covers how to set up 
S 
t 


orage array on a budget and 
it while mounted when you 
need more space. 


Mick Bauer is all set to finish up the 
series on setting up WPA and 
RADIUS. The last step even includes 
adding in some non-Linux clients to 
protect them too. If your wireless 

network is your security weak point, 
you'll need this. 


Back while the 2.6 kernel was in 
development, Red Hat borrowed 2.6 
eatures and nonstandard patches to 
build a unique, customized 2.4 kernel. 
ow the 2.6-based Red Hat Enterprise 
Linux 4 is out, and Tim Burke is back 
with a look at how a distribution con- 
nects fast and furious Linux coding 
with risk-averse enterprise customers. 
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FROM THE EDITOR 


Keep Your 
Options Open 


Good technology doesn’t make you pick sides. 
Stay flexible with today’s most versatile tools 


and standards. BY DON MARTI 


ast time we did a special 
issue with a focus on soft- 
ware development, we 
called it the Cross-Platform 
Development issue. But really, 
the overwhelming majority of 
software that runs on Linux is 
cross-platform. 

Sure, there are some Linux-exclu- 
sive tools, like the kernel debugger 
Kprobes (page 22). But the rest of 
the stuff in this issue, from Mozilla’s 
Sunbird (page 14) and Firefox (page 
86) to the versatile compiler suite 
GCC (page 78), is all wonderfully 
choice-preserving. Want to switch 
architectures? Use a different operat- 
ing system? Even swap out your 
company’s business model? 

One software vendor I know 
decided to go from being a “pure 
software play” to a hardware com- 
pany and pulled it off in a matter of 
months. There are even companies 
that will take your software load and 
turn it into a Linux appliance with 
your logo and everything, almost as 
easy as sending in a CD and manual 
for duplication. 

Some OS vendors profit by 
imposing a high cost of switching. 
But in the long run, it’s good to 
have users who can walk away. It 
makes you stay good at what you 
do and gives you instant feedback 
when you slip. Today’s Linux users 
can get the same applications on a 


different platform with a quick 
visit to TheOpenCD.org or 
fink.sourceforge.net. We’re not 
staying on Linux just because 
we'd lose time or mangle data by 
switching away—can any propri- 
etary OS say the same? 

As a software developer you 
have more options today than ever. 
You’re not just choosing open 
source or proprietary or deciding 
between direct sales or channel. 
Develop for Linux and you can easi- 
ly offer your software as download, 
shrink wrap, service or appliance. 
Get started with development before 
you have to make a final decision 
on the business model. 

Speaking of choices, Greg 
Kroah-Hartman has a warning for 
you: don’t try to read files in the 
kernel (page 38). He and the rest of 
the core kernel team just don’t like 
it. But guess what? You have the 
freedom to read files in the kernel 
anyway. So if you have to do it, do 
it. An OS developer’s decision that 
something is Bad doesn’t apply to 
you. 

In conclusion, beware of any 
technology that has an “evangelist”. 
If a platform gives you enough 
choice that you don’t have to trust 
it, it’s a good sign that you can. 
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Rackspace — Managed Hosting backed by Fanatical Support? 


Servers, data centers and bandwidth are not the key to hosting enterprise class Web sites and Web applications. 
At Rackspace, we believe hosting is a service, not just technology. 


Fanatical Support is our philosophy, our credo. It reflects our desire to bring responsiveness and value 
to everything we do for our customers. You will experience Fanatical Support from the moment we answer the 
phone and you begin to interact with our employees. 


Fanatical Support has made Rackspace the fastest-growing hosting company in the world. Call today to 
experience the difference with Fanatical Support at Rackspace. 
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Readers' Choice Award for i 
“Favorite Web-Hosting Service” 1.888.571.8976 or visit us at www.rackspace.com 


LETTERS 


If You Can’t Reach Esc, How Do You 
Quit vi? 


Here is a picture of my three-week-old son 
Nicholas Robert getting his first taste of 
Linux. Love your magazine—keep up the 
fantastic work! 


Dan Behman 


Redundant Storage Idea 


I am the System/Network Admin in an office 
environment of relatively new PCs (about 
25) and a few servers. When I started, it was 
100% Microsoft. Now our department relies 
heavily on two Slackware servers. One of the 
duties of the bigger server is a Samba file 
server that everybody has access to. I had the 
idea one day of a pseudo-RAID-5 implemen- 
tation over the network. All these new PCs 
with 80GB hard drives, using only ~3GB, 
because everybody is using the Samba share. 


What if someone took existing code from 
LVM and the highly stable RAID-x kernel 
modules and made a project that allowed you 
to create a file of a fixed size on each one of 
those Windows machines, say 40GB per 
machine, and then mount it as one large vol- 
ume to be re-shared out to those who save 
everything to the X drive? 


Because the Windows PC will have a single 
fixed 40GB file, it will be easy to configure 
remote or local backup software (I selected 
BackupPC) to ignore that file when perform- 
ing a backup. 


Your total storage with the above example 
would be (n—8)*40 where n is the number of 
PCs. 680GB of redundant storage is a big 
step up from the 80GB RAID 1 file server in 
use now. This would not be the best solution 
for large, frequently used files as the network 
would easily become a bottleneck, but for 
ever-increasing storage demands from archiv- 
ing sales records and raw images for Web site 
products that are modified once then kept for- 
ever, it’s a great solution. At least I think so. 
Thank you for a great magazine. 


Chris Turner 


If you can do that with good performance, sta- 
bility and security, you’ll never have to buy your 
own beverages at USENIX conferences.—Ed. 


Focus, Please 
| 
I have been a subscriber to Linux Journal for 
several years now. One thing that I have 
noticed is that LJ doesn’t seem to have a partic- 
ular area to focus on. Are your articles intended 
for desktop users or for server administrators? 
Please choose your niche and stick to it. 


In the meantime, I’ve just renewed my subscrip- 
tion for another year. I’d really appreciate see- 
ing more desktop-oriented articles in the future, 
and less of the server- and network-administra- 
tor stuff. I subscribe to other magazines for that. 


jh 


Non-Linux OSes are cluttered with so much 
junk because people don't learn from other 
areas of development. The desktop, server 
and embedded environments have a lot to 
teach one another.—Ed. 


One Computer, Hold the Fan 
SS 
I'd like to second the suggestion by Ramer 
W. Streed in the February 2005 Letters sec- 
tion (page 6) for an article on fanless com- 
puters. Fans are noisy and irritating. Besides, 
my wife is a heavy smoker, and computer 
vents and heatsinks in our house tend to get 
clogged with smoke particles. Streed’s 
request was for a fanless PowerPC, but I’d 
settle for anything without a fan, as long as it 
has reasonable capability and runs Linux. 


A. T. Young 


We might have a little surprise in store for 
you.—Ed. 


Make the Competition Pay for Linux 
Info 
Se 
My understanding of having ads in TV, radio 
and magazines is to generate money. As long 
as the ad is not ethically incorrect, why not 
publish it? Why not let Microsoft help pay to 
spread Linux knowledge? Microsoft had an 
ad on a Linux forum I visit regularly, and I 
would faithfully click on it every day. 
Sometimes twice a day. Would I use a 
Microsoft product? Not in the near future, 
but each and every click on that ad helped 


keep that forum free. A free forum is a good 
match to a free operating system. 


We live in the information age. It is not the 
Microsoft vs. Linux issue that so many people 
try to create. It is monopoly vs. free-flowing 
information. As a matter of fact, not allowing 
something because it can compete is doing 
business the Microsoft way. I would not 
object to seeing a Microsoft ad in a Linux 
magazine. As a matter of fact, I would like to 
see those expensive two-page or fold out ads 
pushing Microsoft products to pay for a new 
section called “newbie corner’, or something 
like that. If nothing else, I would rather flip 
over that ugly Windows logo than pay more 
for my magazines. 


Brad Peters 


Cuddly Penguin 
— —SEE———EE— SS 


Here’s a picture of my son Gabriel, age 14 
showing his affection to our beloved Penguin. 
Maybe we’ll see it in one of your issues! All 
the best from one of your subscribers. 


Paul 
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Cats Still Love SUSE Packaging 
a 
Greetings from Guatemala, Central America. 
Since 1999 this girl is in love with Linux and 
her cat! 


David Salgado 


Low-Priority Bug Report 
ee 
In the diff -u section in the February 2005 
issue, Zack Brown reports the bug found by 
Pavel Macheck in the 2.4 kernel: in year 
9223372034708485227, or 9.22 X 10!8, all 
2.4 kernels will immediately stop. 


This is a great discovery that should be pre- 
sented to the astronomical community. 
Following J.D. Barrow & FJ. Tipler in The 


Anthropic Cosmological Principle book, at 
the same time 2.4 kernel Linuxes will die, 
Neutron Stars will cool to 100 degrees 
Kelvin and planets’ orbits will collapse via 
gravitational radiation. All of this will hap- 
pen long after the Sun abandons the Main 
Sequence (5 X 10° years) and all the stars 
become white dwarfs (1 X 10!* years). 


I think this is a new astronomical landmark 
that all Linux users should ask to include in 
the astronomical almanac of the foreseen his- 
tory of the Universe. 


Guigue 


Two Penguins, One Baby 
ey 
I first congratulate you and your team for 
your excellent Linux Journal—I wait for it 
every month. I attach a picture of my 
seven-day-old son, Sebastian, who seems to 
sleep very well with his favorite penguins. 
He doesn’t like worms, bugs or horses 
(maybe trojan ones). 


I'll let you guess which OS he most likely 
will be familiar/comfortable with in the near 
future. Penguins are a very common animal 


Wayne Vieira 


ljeditor@ ssc.com.—Ed. 


Photo of the Month: NASA Site Tour 


These two future kernel hackers had not seen a computer taller than themselves until I 
took them to see NASA Ames’ 10,240 CPU Linux system, Columbia. Tony (foreground), 
an avid collector of spongy penguins given out at various Linux events, now thinks com- 
puters were created by penguins, or vice versa. Ronnie, on the other hand, no longer just 
asks to go to Daddy’s work. He now wants to see Daddy’s “Big Work”. 


Photo of the Month gets you a one-year extension to your subscription. Photos to 
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here in Chile. There is a group of them about 
40km from where I live. 


Marcelo Maraboli 


Mmmm, Penguins 


There is this fantastic confectioner in Walpole, 
New Hampshire that makes these cute little 
chocolate penguins. They also have a shop for 
gifts: www.laburdick.com. They will ship 
boxes and baskets and of course the penguin. 


At 6 


Daniel Hoviss 


Certified by Whom? 
———E—EEEE—————————————_— 


I was working on a newly purchased server, 
and in the documentation package, I came 
across this CD. Nothing special about the disc 
itself, but the label was rather entertaining. 
Notice that the disc is both Microsoft Certified 
and Powered by Linux. Hope you find it as 
entertaining as I did. 


Kris Linville 
which Laptop? 
ees 


You’ve been fiddling with Linux laptops. 
Doc has an EmperorLinux Toucan (aka IBM 


LETTERS CONTINUED ON PAGE 95 
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AMD Athlon™ 64 3700+ (754) $329.00 
AMD Athlon™ 64 3800+ (939) $424.00 


AMD Athlon™ 64 4000+ (939) $643.00 AMD Opteron™ 846HE (55W) 
AMD Athlon™ 64 FX-55 (939) $828.00 2.0GHz $847.00 
AMD Opteron™ 848 2.2GHz $847.00 


AMD Athlon™ 64 CPUs Feature: 
« HyperTransport™ technology 
- Enhanced Virus Protection for 
Microsoft® Windows® XP- SP2 
~ Cool’n'Quiet™ technology 
+ AMD64 technology 


AMD Opteron™ 850 2.4GHz $1130.00 
AMD Opteron™ 852 2.6GHz $1469.00 


NEW AMD OPTERON™ 252 & 852 
Available at our website 
www.monarchcomputer.com 


jaindoard - Processors - Heatsink and Fan with Memory Options - FREE INSTALLATION AND TESTING 
LASTEST Bios loaded for easy upgrades - AMD Athlon™ XP. Athlon™ MP. Athion™ 64, Athlon™ 64 FX, and Opteron™ Combos Avaliable Kf 


SliverStone SST-TJ06-B (Black) 
E-ATX wi460W PS 
Tyan S2882G3NR Thunder K8S 


AMD Opteron™ processor 248 


Starting 0 $1138 


Antec Performance One P160 Case 
wi420W PS 

Abit KV8 PRO Motherboard w/ 

AMD Athion™ 64 processor 2800+ (754) 


Starting @ $438 


***AMD Athion 64 and Athlon 64 FX are the ONLY Windows®-compatible 64-bit PC processor 


www.monafchcoMputer.com 
Components and Upgrades 


1000s of In-Stock Components 
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Visit www. was ss for products in this ad, current inventory and up-to-the-minute pricing. Call or email for special orders 


Educational and Government 
POs Welcome. - 
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Monarch Has The LOWEST PRICES 
Custom 64-Bit)Servers; 
Workstations & Desktops 


Partner 


Part:80340 

Monarch Furia Deluxe 
Workstation Special 

wi AMD Athlon™ 64 38008 
1GB PC3200 DDR 

PNY Quadro FX500 


Part:30999 a 
Monarch Centira. Ultimate 
Desktop Special 7 


ATI 9600SE AGP 


Choose a preconfigured System Special, 
upgrade any component or accessory, even 
customize your system from the inside out - 


A FULL LINE OF WORKSTATIONS (Gp 
RACK SERVERS, TOWER SERVERS © 
—— 


see the dynamic, real-time pricing on yourcon- *. 5°» » 2» 
figuration, and save a quote to lock in pricing ee ee 
for up to 7 days! f = - _- _& 8 New System 
> | bese emoon Lines, Including: 
¥ YY 3 | \Starts @ spel 
( : — - or Sempron™) 
' Shae aiee : A TE ae he \ia™ - Starts @ aan 
Sw.) ” an “ Starts © $1085 {ae tee 
Ss Starts @ (Opteron™) 
The AMD Opteron processor— built upon forward-thinking AMD64 technology—provides flexibility with a 1-8-way scalable design. 
\ The AMD Athlon™ 64 processor 
improves security against certain 
types of viruses; with 
Enhanced Virus Protection for the 
Microsoft® Windows® XP SP2 
Ser Penh Aluminum Quiet Tower The NEW MONARCH 
(Black) -550W Antec Power Supply) U LB for 20 05 
* Tyan Thunder K8W S2885ANRF Board Custom Opteron 
AGP Pro 4X 8X SATA/IEEE Workstation 
* (2) AMD Opteron™ Processors 252 
* 2 GB (4 pcs 512 MB) DDR (400) PC-3200 
REG ECC Corsair Memory (TwinX1024RE-3200LL) 
* (4) Western Digital 74 GB 10K RPM 
Raptor (WD740GD) 8 MB Cache SATA HDDs 
* 3ware Escalade 9500S-4LP 4 Port SATA RAID 
Controller w/ RAID 5 Setup 
* Asus 5232ASQT-BLK 52X32X52 CD-RW (Black 
* Plextor PX-712A/SW-BL DVD+R/RW 
* Mitsumi Floppy 7-in-1 Smart Card reader (Black) 
* Creative Audigy 2 ZS 24BIT Advanced HD Sound 
* PNY QuadroFX 3000 AGP 8x/4x 256MB 
* Linux Fedora Core 3 A64 Installed 
; f . 
CE RE ET 1 or 3 year warranties available $100 Off Reviewed Price! 


BS cick [omputen System 


AMD, the AMD Arrow logo, and combinations thereof, and the AMD64 logo, and AMD Opteron, are trademarks of Advanced Micro Devices, Inc 
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A UPFRONT NEWS + FUN 


On the 


WEB 


>> If you’re curious about how Joe 


Ruffolo and Ron Terry used the 
various open-source software 
mentioned in their article (page 
82) to connect the Utah College 
of Applied Technology satellite 
campuses, see their follow-up 
Web article, “A Reading List for 
Linux in the Classroom” 
(www.linuxjournal.com/article/ 
8124). There, they point to 
good sources for more informa- 
tion on Samba, OpenLDAP and 
other software, so you can do 
your own project. 


Didn’t make it to Germany for 
CeBit 2005? We didn’t either, 
but Stefan Cars did. Check out 
his show review, “CeBit 2005: 
On the Scene in Hannover” 
(www.linuxjournal.com/article/ 
8125), to see what you missed. 
And with “6,207 exhibitors 
(52% from abroad) and a net 
display area of 309,000 square 
meters”, we’re guessing you 
missed a lot. 


Our Web article series on 
embedded development 
wrapped up recently with 

“An Introduction to Embedded 
Linux Development, Part 4” 
(www.linuxjournal.com/article/ 
8122). In the final installment, 
Ben Anderson and Richard 
Sevenich discuss how to use 
the Background Debug Mode 
provided in Motorola proces- 
sors. Meanwhile, Larry Finger 
wraps up his Web series 

with “Linux in a Windows 
Workstation Environment, Part 3” 
(www.linuxjournal.com/article/ 
8126), a description of using 
“our Linux server to provide 
VPN tunnels that secure our 
users’ transmissions over a Wi- 
Fi network that is required to 
be unsecure”. 


diff -u 


What’s New in Kernel Development 


Wichert Akkerman, the former Debian 
Project leader, noticed some pretty weird 
behavior under 2.6.10-ac10. Doing a df 
command, he found that his disk usage was 
reported to be -73786976294838127736. 
Suspecting an error, he posted to the linux- 
kernel mailing list, but although several folks 
offered speculation on what had happened, 
Wichert had fixed the problem with e2fsck 
and was unable to do further tests to confirm 
one explanation or the other. This sort of thing 
happens from time to time—a strange, unex- 
plained anomaly. Maybe it will appear again 
in some later kernel version and be diagnosed, 
or maybe it was a hardware glitch. 

Mitch Williams recently found that files in 
SysFS could not be appended to. Any attempt 
to do so would overwrite the old data with the 
new. Even opening the file and seeking to the 
end before writing would have the same effect. 
Greg Kroah-Hartman confirmed that this was 
not at all the intended behavior, especially con- 
sidering that SysFS would overwrite the data 
without giving any error message. Mitch had a 
patch ready to correct both cases— appending 
and seeking —and after some small patch-split- 
ting discussion with Greg, it looks as though 
SysFS’s behavior will change so file operations 
appear more normal. 

Anew security @kernel.org mailing list has 
been created. The purpose of this list is to receive 
reports of security exploits before they become 
commonly available, so the Linux developers 
can create and distribute fixes before attack- 
ers can create and deploy attacks. One of the 
features of this list is that subscription is by invi- 
tation only, and the archives are not made imme- 
diately available, as they are with the regular 
linux-kernel mailing list. Linus Torvalds, who 
has said he personally would much prefer a com- 
pletely open style of development, has joined the 
list, with the idea that the greater secrecy urged 
by folks like Marcelo Tosatti regarding nonpub- 
lic security issues might turn out to be a good 
idea after all. In any event, he’s willing to try it 
and see. This sort of issue inevitably will be con- 
troversial, especially among strong advocates of 
the open-source development model. 

Jake Moilanen has created a genetic algo- 
rithm library within the kernel to help tune the 
input/output scheduler, as well as the process 
scheduler. Traditionally, these schedulers (espe- 
cially the process scheduler) have been notori- 
ously difficult to get right, because of the tremen- 
dous variety of user behavior. How can develop- 
ers be sure that any particular algorithm will 
work best under any particular set of user activi- 


ties? Really, they can’t. Something like Jake’s 
work, if feasible, could pave the way for an 
entirely new method of tuning kernel parameters. 
At the same time, genetic algorithms tend to be 
unpredictable in their results, and unpredictabili- 
ty is not necessarily desirable in a kernel. I imag- 
ine developers would be resistant to including 
this sort of patch unless it could produce very 
large and measurable performance improve- 
ments. Even then, they might want to include 
only the results of the genetic tuning and not the 
actual genetic algorithm itself. Time will tell. 

In the saga of Software Suspend, Pavel 
Machek recently enabled swsusp for SMP 
machines. Before now, this had not been sup- 
ported, but apparently starting with 2.6.11 it 
should be possible to use Software Suspend suc- 
cessfully on SMP systems. Little by little, the 
swsusp code advances, and the controversy and 
acrimony of competing code bases that we saw 
over the past year is starting to fade away. Of 
course, Software Suspend is an inherently tricky 
problem, because some hardware simply won’t 
cooperate. In such situations controversy will be 
inevitable, and the difficulty of knowing the best 
way to tackle a given problem tends to become a 
question of unpleasant trade-offs. But, swsusp 
certainly is looking very promising right now. 

There’s been a lot of maintainership activity 
recently among new and existing kernel projects 
alike. Andrew Vasquez is now the official main- 
tainer of the QLogic QLA2XXX FC-SCSI driver. 
Tony Luck has taken over IA-64 maintainership 
from David Mosberger-Tang. Matthias Kunze 
has taken over the apparently unmaintained 
Enhanced Linux Progress Patch and forward- 
ported it to 2.6.10. Adrian Bunk has taken over 
the util-linux project from Andries Brouwer, 
after Andries had put out a call for a new main- 
tainer back in September 2004. 

Related to the issue of maintainership, the 
MAINTAINERS file may start identifying 
mailing lists that can receive posts only from 
subscribers. Traditionally, Linux development 
lists are open to all posters to encourage bug 
reports from as many users as possible, but not 
all kernel-related projects agree with this policy. 
For those who don’t, folks like Domen Puncer 
have been submitting patches to identify those 
lists as subscriber-only. Earlier, Domen had tried 
removing mailing lists like the linux-arm-kernel 
list from the MAINTAINERS file for this rea- 
son, but after some negative feedback from 
folks like Alan Cox, he opted for his current 
approach instead. 


—ZACK BROWN 
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Cyclades 
IPMI 
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Cyclades’ AlterPath™ Manager is 
the first secure enterprise IPMI 


- . fh 
manager to boost operational Remote IT infra e... administration 


efficiency and productivity with Centrdlized oo _ _ 
industry leading features: Reméte it Me isto 

« Vendor-independent IPMI management Web-based access 

* Enterprise security and authentication Remote logging and monitoring 


SSH v2, LDAP, RADIUS, TACACS+, Kerb 
acti hy Rereren) Supports IPMI 1.5 and 2.0 
« Centralized access, control and auditing \ 


: Event notification and alarms R 


« Scalable to 5000 devices and 256 
simultancous connections 


We've worked our magic. 
Now you can work yours. 


Over 85% of Fortune 100 choose Cyclades. 
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UPFRONT NEWS #4+.-FUN 


Best Network Pickings : 


Netapplet is a neat little network interface control applet that lets users select 
networks and interfaces. Because the air in most civilized places is now thick with 
Wi-Fi signals, available networks are represented by horizontal bars representing 
signal quality and handy little padlock icons representing WEP locks. That means 
you can warwalk (or wardrive, or warfly) and select open networks on the fly. 
This makes it a must-have app for every mobile Linux user. 

It was written, coincidentally, by contributing editor Robert Love, along with his 
colleague Joe Shaw, but | discovered it while walking the floor at the latest JA 
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LinuxWorld Expo, looking for cool stuff. It was the coolest thing | saw at the show. 

Robert points out that netapplet has a few other neat features too. It automatically or : 
will fall back to a new wireless network when your current network goes away. It mit_demo 
stores WEP keys in an encrypted gnome-keyring for automatic reconnection and me csieen 
works around a bunch of wireless driver bugs to make the experience better. By the 
way, it works with wired networks and PPP dial-up connections as well. packean 

Robert (who wrote Linux Kernel Development and works for Novell) wrote @ TesTceL 
netapplet for SUSE, but packages are available for other distros. Other 

More information is available at primates.ximian.com/~rml. 


Connection Information 
Ne Configure Network Settings 


—DOC SEARLS 


Ten Years Ago 
in Linux Journal 


Internet services were the fla- 
vor of the month for the May 
1995 issue, and Eric Kasten 
covered the basics of setting up 
the CERN and NCSA Web 
servers. Hacking the source to 
fix a vulnerability listed on 
CERT, along with editing the 
Makefile, were key steps for 
getting the latter going. 

Piers Cawley covered set- 
ting up the Majordomo mailing-list manager, including 
how to add a patch to force Majordomo to send out a 
digest if messages are sitting around for too long. Daniel 
Hollis covered setting up a Linux server for an ISP. The 
hardware included an Intel 486DX4/100 processor, a 
16-port serial card and 28.8k and 14.4k modems. 

Walnut Creek CD-ROM advertised a two-CD 
Slackware set. The minimum memory requirement was 
4MB, and according to the ad, a “typical installation” 
with development tools, Sendmail and X would require 
about 40MB. 

Finally, Linus Torvalds released Linux 1.2.0 with a 
parody of Microsoft licensing terms, including the “I’ve 
got too much money” license. The real license in the 
actual code stayed GPL, of course. 


Journal 


—DON MARTI 


Freedom-Compatible HDTV Boxes: 
Time Is Running Out 


Linux user group mailing lists are buzzing with announcements for 
personal video recorder “Build-Ins”. The Electronic Frontier 
Foundation (EFF) has put together easy-to-follow instructions for 
turning a PC plus a high-definition TV card into a Linux-based per- 
sonal video recorder, using Knoppix and MythTV. 

Seth Schoen wrote about the threat of the proposed Broadcast 
Flag regulation two years ago in Linux Journal. Unfortunately, for 
anyone interested in Fair Use or do-it-yourself HDTV projects, the 
US FCC adopted the regulation, which will put draconian “robust- 
ness” requirements on any device that handles an HDTV signal, in 
effect making it illegal to support a GPL device driver. The regula- 
tion is scheduled to go into effect on July 1, 2005. 

The EFF, along with other organizations including the American 
Library Association, Consumers Union and the Medical Library 
Association, has filed a lawsuit to challenge Broadcast Flag. 
Lawyers for both sides argued the case before the US Circuit Court 
of Appeals for the District of Columbia in February 2005. 

Instead of biting your nails waiting for the courts, get parts and 
build a PVR while you still can. Turn your friends who want a cool 
system like yours into technology freedom supporters. One group, 
Bay Area Debian, turned the “build-in” into an excuse for a group 
trip to Fry's, the discount electronics store where aisles sometimes 
turn into informal peer-to-peer Linux hardware support seminars. 

Check out the EFF’s Broadcast Flag page. Their “cookbook” is a 
great first family Linux project: eff.org/broadcastflag. 

To order your pcHTDV card ($169.98 US), visit wwww.pchdtv.com. 


—DON MARTI 
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Enabling networks to 


Plug SBE’s TCP/IP Offload Engine (TOE) into your 
system to see the performance boost for yourself... 


All TOEs should process TCP/IP at network speeds, provide 
full segmentation and assembly, terminate multiple simul- 
taneous sessions, and minimize transaction latency, 
without host intervention. However, not all TOEs are 
alike...depending on the individual manufacturer's target 
market, the devices vary in their ability to fully handle 
these essential criteria. 


Adding a TOE to your existing system is only a cost-effective 
option if it can truly heighten your network performance at 

a fraction of the cost of purchasing an additional server. 
Only one TOE board has proven to provide peak performance 
across all four metrics of TOE effectiveness. While other 
TOE vendors offer solutions capable of satisfying one, two 

or maybe three of the critical TOE performance metrics, 


® 


on TOE 


cover more ground faster. 


SBE is today’s only source to deliver Gigabit Ethernet throughout 

at line rate, over 70% reduction in CPU utilization, 32 microsecond 
transaction latency, and support for high session count applications, 
all on one PCI or PMC-based board. 


Skeptical? Burned by inferior TOE solutions in the past? 
Well, now you can take advantage of our risk-free offer to 
see the results of SBE’s TOE for yourself... 


Contact us to qualify for a free test drive 
of the SBE TOE board in your application. 
Plus, ask us about how to win a 

free iPOD® mini.* 

Phone: 800-214-4723 

Email: info@sbei.com 

Web: www.sbei.net/tryTOE.htm 


LINUX On Demard 


flexibility on demand | 925-355-2000 | into@sbei.com | www.sbei.com 


* Kestriclions apply. While supplies last PUD mini is a registered trademark of Apple Computer, Inc 
All rights reserved. Apale is nota participant or sponsor of this promotion 


TOOLBOX AT THE FORGE 


Sunbird and 
iCalendar 


Mozilla’s Sunbird calendar combines the advantages of centralized, 
cooperative Web applications with the speed and usability of a cross- 
platform desktop tool. BY REUVEN M. LERNER 


hen I first started to write 
server-side software, I 
laughed at the thought 
that I was writing applica- 
tions. After all, I was writing only small 
bits of code; nothing I did could hold a 
candle to what a real program, running 
on the desktop of someone’s computer, 


I began to look into software that I 
could use to prepare my US income 
taxes. I shouldn’t have been surprised 
to discover that many companies now 
are offering Web-based tax calculation 
programs. The term ASP, or applica- 
tion service provider, was hot several 
years ago, when it seemed as if all 


could do. 


Of course, things have changed 
quite a bit in the computer industry 
since those early days. Today, Web- 
based applications are not only an 
established fact of life, but they seem 
to be playing an increasingly promi- 
nent role in our daily lives. Recently, 
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software would work over the Web. 
Although there have been some obvi- 
ous success stories, there also were 
many failures, for technical and busi- 
ness reasons alike. 

It’s easy to understand why Web- 
based applications are attractive to a 
business: you no longer have to test 
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Figure 1. The main Sunbird window, in multiweek mode. Two of my three calendars (Hebcal 2005 and 


Northwestern grad school) are color-coded, both in the definition pane and the main window. Also notice how 


items in my to-do list are color-coded, indicating whether they are on time, late, in need of attention or ongoing. 


your software on every platform but 
instead only on a handful of browsers. 
You no longer need to support many 
different versions of the software, 
because only one version is accessible 
at any given time. Bug fixes and soft- 
ware updates can be integrated into the 
system almost continuously. The soft- 
ware is available from anywhere with 
an Internet connection, instead of only 
on the computer on which it was 
installed. The list goes on and on. From 
many perspectives, this approach 
makes more sense than stamping out 
thousands of CDs, testing the software 
on hundreds of configurations and 
staffing a large call center to support 
all of those configurations. 

But for all of the hoopla, Web appli- 
cations still are limited compared to 
their desktop counterparts. Because all 
serious processing is done on the server, 
including writing to and reading from 
databases and files, instantaneous feed- 
back from the interface is almost impos- 
sible. Even with the fastest servers and a 
lot of clever magic, such programs still 
can seem somewhat tedious. Google’s 
new maps system (see the on-line 
Resources), for example, demonstrates 
that it is possible, albeit difficult, to cre- 
ate Web applications that feel much like 
their desktop counterparts. 

Those of us without Google’s 
resources increasingly are turning to 
another solution, namely using hybrid 
software—desktop applications that rely 
heavily on Web technologies. It used to 
be that Web technology could be 
described, with a fair degree of preci- 
sion, as HTML-formatted documents 
retrieved by way of HTTP using a URL. 
Web browsers were, for a long time, the 
only programs that made serious use of 
these standards. 

Today, however, a growing number 
of desktop programs make use of 
HTML, HTTP and URLs, even though 
they aren’t Web browsers. They use 
URLs to locate remote resources, 
HTML for its simple, universally 
understood method of creating hyper- 
linked documents and HTTP because 
it is reliable, simple, universal and 
cacheable. There aren’t too many 
examples of word processors and 
spreadsheets using these protocols —at 
least, not that I’m aware of —but one 
hybrid program has been playing an 
increasingly prominent role in my 
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EmperorLinux 


...where Linux & laptops converge 


The Meteor: 3lb Linux 


* Sharp Actius MM20/MP30 
© 10.4" XGA screen 
© X@1024x768 
* 1.6 GHz Transmeta Efficeon 
* 20-40 GB hard drive 
¢ 512-1024 MB RAM 
* CDRW/DVD (MP30) 
~ ,* 802.11b/g wireless 
“~~ # Ethernet/USB2 
¢ ACPI hibernate 
e1"thin 


¢ |BM ThinkPad T series 

© 14.1" SXGA+/15.0" UXGA 
* X@1400x1050/X@1600x1200 
¢ ATI FireGL graphics 

¢ 1.6-2.1 Gliz Pentium-M 7xx 
* 40-80 GB hard drive 

® 512-2048 MB RAM 

¢ CDRW/DVD or DVD-RW 

© 802.11b/g wireless 

* 10/100/1000 ethernet 

* APM suspend/hibernate 


The SilverComet: 4 lb Linux 


# Sony VAIO $270 

© 13.3" WXGA+ screen 

* X@1280x800 

* 1.5-2.0 GHz Pentium-M 
* 40-100 GB hard drive 
© 256-1024 MB RAM 

® CDRW/DVD or DVD-RW 
* 802.11b/g wireless 

* 10/100 ethernet 

¢ ACPI hibernate 

* USB2/FireWire 


The Rhino: 7 lb Linux 


* Dell Latitude D810/M70 

* 15.4" WUXGA screen 

* X@1920x1200 

¢ NVidia Quadro or ATI Radeon 
® 1.73-2.13 Glilz Pentium-M 7xx 
¢ 30-80 GB hard drive 

® 256-2048 MB RAM 

¢ CDRW/DVD or DVD+/-RW 

© 802.11b/g wireless 

* 10/100/1000 ethernet 

* USB2/SVideo/serial 


Since 1999, EmperorLinux has provided pre-installed Linux laptop solutions to universities, corporations, and individual Linux enthusiasts. 
We specialize in the installation and configuration of the Linux operating system on a wide range of the finest laptop and notebook computers 
made by IBM, Dell, Sharp, and Sony. We offer a range of the latest Linux distributions, as well as Windows dual boot options. We customize 
each Linux distribution to the particular machine it will run upon and provide support for: ethernet, modem, wireless, PCMCIA, USB, FireWire, 
X-server, CD/DVD/CDRW, sound, power management, and more. All our systems come with one year of Linux technical support by both phone 
and e-mail, and full manutacturers’ warranties apply. Visit www.EmperorLinux.com or call 1-888-651-6686 for details. 
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Model prices, specifications, and availability may vary. All trademarks are the property of their respective owners 


VXRACK™ with the Intel® Xeon™ processor 
helps you simplify computing operations, 
accelerate performance and 

accomplish more in less time. 


Choose one of the 3 
convenient rack sizes 


VXR-128 

Rack accomodating up to 

128 VXBlades/256 Processors 
48TB of aggregated Storage 
1.5TB of Global Memory 

Power Distribution Included 
Patented Architecture 

Advanced Cooling System 
Integrated InfiniBand Cable Mgnt. 


$ 2,190.00° 


TECHNOLOGIES 


you 


HIGH PERFORMANCE 
COMPUTING SOLUTION 
HAS ARRIVED. 


VXR-96 

Rack accomodating up to 

96 VXBlades/192 Processors 
36TB of aggregated Storage 
1.15TB of Global Memory 
Power Distribution Included 
Patented Architecture 

Advanced Cooling System 
Integrated IntiniBand Cable Mgnt. 


$ 1,750.00° 


VXR-72 

Rack accomodating up to 

72 VXBlades/144 Processors 
27TB of aggregated Storage 
864GB of Global Memory 
Power Distribution Included 
Patented Architecture 

Advanced Cooling System 
Integrated InfiniBand Cable Mgnt. 


$ 1,590.00° 


For more Information call 


or visit us at 


Intel, Inlet loge, Inlol lreicio, tne! Inuido logo, inlul Contrine, he Conn eee 
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One PCI/Express Slot Available 
Dual 10/100/1000 Intel Lan Port 
350W Power Supply 
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VXB-7501W 
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life, Mozilla Sunbird. 

Sunbird (Figure 1) is the standalone version of the calendar 
extension that can be installed along with either Firefox or 
Thunderbird. Integration with these two programs is far from 
perfect, and I sometimes want to run or restart one without the 
other. So I installed Sunbird over the summer and have been 
pleased with each new release as it is made available. 

Now, you might think there is nothing inherently useful 
about having a calendar use Web technologies. But in the 
case of Sunbird and the iCalendar standard, there is a major 
benefit— namely, the ability to create calendars for public 
consumption. This month, we begin a several-month journey 
through the creation, distribution and sharing of calendars 
based on the iCalendar standard. Along the way, we’ll see 
not only how to work with iCalendar, but how the hybrid 
applications can provide a powerful combination of features 
and an enhanced user experience. 


iCalendar and Sunbird 

iCalendar is an Internet standard for sharing calendar infor- 
mation across different computers. The basic idea is sim- 
ple: if all users at my office keep track of their schedules 
on their own computers, it makes things efficient for those 
individuals but no better for the group than if they were 
using a pocket diary. Scheduling meetings still would be a 
hassle. Moreover, group events would have to be entered 
once on each person’s calendar—meaning that when a 
meeting moves from Monday to Wednesday, each team 
member needs to adjust his or her individual calendars 
accordingly. 

iCalendar was designed to solve this problem by standard- 
izing the calendar files themselves such that those files can be 
transferred from one program to another. The original vision, 
as far as I can tell, pictured people using programs that imple- 
ment iCalendar on their computers and sharing that informa- 
tion with others by way of the network and Internet. The reali- 
ty has taken some time to catch up with this theory, but a vari- 
ety of programs now are available that do implement parts of 
the iCalendar suite. 

I should note that the entire iCalendar Project has been 
the victim of some bad and unlucky naming problems. The 
file in which data is stored and that can be used to inter- 
change information is called vCalendar, just as the elec- 
tronic business-card format is known as vCard. But many 
people and applications, including Sunbird, refer to the file 
format as iCalendar, even though the file identifies itself 
as vCalendar. As you can imagine, the term iCalendar has 
been shortened to iCal, which is especially unfortunate, 
given that Apple’s Mac OS X operating system comes 
with a program called iCal that uses the vCalendar file for- 
mat. Because the use of vCalendar to describe these files 
seems to have gone the way of the dodo, I simply use the 
word iCalendar to refer to both the file format and the 
overall standard. 

Download and install the appropriate version of the 
Sunbird standalone calendar program; see Resources for the 
URL. If you’re a bit more daring, you can install one of the 
nightly builds; I actually am using Sunbird as my primary 
calendaring application, so I have been using the official 
builds. If you prefer to have your calendar integrated into 


either Firefox or Thunderbird, go to the main download 
page and choose the appropriate extension and version that 
you would like to install. If you install an extension to 
Firefox or Thunderbird, you need to restart the host program 
before continuing. 

Sunbird allows you to create two types of items, events and 
tasks. Events normally appear on the calendar itself and can 
include holidays and meetings. Tasks normally appear on the 
left side of the screen and indicate things that you should get 
done, with an optional starting and ending date. Sunbird 
changes the color of tasks according to how soon they need to 
be done; overdue tasks are in red, current ones are in blue and 
future ones are in green. Gray tasks are in the far-off future, 
and crossed-out ones —if you choose to display them—are 
completed tasks. 

Both events and tasks can be repeating, meaning we 
can schedule a meeting for every Wednesday at 4 PM 
over the next ten weeks rather than entering ten individual 
events in the calendar. We can enter exceptions to such 
recurring events as needed, and we can set them to recur 
every few days, months or years, with “every few” being 
user-definable. 


iCalendar Files 

The way in which Sunbird structures these events and 
tasks strongly mirrors the vCalendar files in which they 
are stored. Although you might expect a modern Internet 
standard to use XML, iCalendar’s file format consists of 
name-value pairs separated by a colon (:). Each event or 
task has its own begin or end line, and the entire calendar 
file similarly is nested between overall begin and end lines. 
Normally, each name-value pair in an iCalendar file sits 
on a single line. However, indenting a line with any 
whitespace means that it continues the data from the 
previous line, as in: 


name: value 
name2: 
value2 
name3 
:value3 


The above example defines three name-value pairs, each 
making slightly different use of whitespace. Sunbird normally 
uses the third option, such that each name is on a line by itself 
with its associated value indented on a subsequent line. 
Sunbird, as with other Mozilla products, puts all of its data 
files in a profile directory whose name is created randomly 
when you first start the program. The iCalendar files them- 
selves are placed in the Calendar subdirectory within the pro- 
file directory. 

The beauty of iCalendar is you aren’t expected to have 
all of the calendar data in one file or even on one computer. 
An iCalendar-compliant program displays the union of all 
calendar data from all of the data files it has been instruct- 
ed to read. You thus can have several different calendar 
files on your own computer, each of which reflects a differ- 
ent aspect of your life, for example, personal vs. profes- 
sional. You also can retrieve calendar data files from other 
sources, including over HTTP, meaning that group calen- 
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dars can be stored on a public server but displayed on your 
own computer. 

When you first start Sunbird or when you first create a 
calendar with it, the program creates a CalendarDataFile.ics 
file. If you have more than one calendar, you end up with a 
number of such files on your system. Each file has the name 
CalendarDataFileN.ics, where N represents the number of the 
calendar you have created. 


The structure of the file itself is pretty simple. For example, 


here is an iCalendar file with a single event, namely this 
month’s Linux Journal deadline: 


BEGIN: VCALENDAR 
VERSION 
12.0 
PRODID 
:-//Mozilla.org/NONSGML Mozilla Calendar V1.0//EN 
BEGIN: VEVENT 
UID 
:05e55cc2-1dd2-11b2-8818-f578cbb4b77d 
SUMMARY 
‘LJ deadline 
STATUS 
: TENTATIVE 
CLASS 
‘PRIVATE 
X-MOZILLA-ALARM-DEFAULT-LENGTH 
:0 
DTSTART 
:20050211T140000 
DTEND 
:20050211T150000 
DTSTAMP 
:20050209T132231Z 
END: VEVENT 
END: VCALENDAR 


As you can see, the file begins and ends with VCALENDAR 
declarations. Each event is surrounded by BEGIN: VEVENT 
and END: VEVENT. Each event then has a unique ID; a sum- 
mary, which normally is displayed in the calendar; a status; a 
class, which indicates whether you want to share this calendar 
information with others; and then the starting and ending 
times. It also has a timestamp showing when the event was 
last modified. 

Timestamps in iCalendar files adhere to a slightly 
strange format of YYYYMMDD representing the date and 
then a T followed by the 24-hour clock time, followed by an 
optional time zone and a Z. Because I currently am living in 
Chicago, the timestamp represents not the time at which I 
made the entry, but the time it is in the time zone six hours 
ahead of me, one hour later than GMT (1Z). 

What happens if I have a monthly deadline, and I want 
to include that in this calendar event? In Sunbird, I can go 
into the recurrence tab in the event editor by double-click- 
ing on the event. There, I indicate that I want this event to 
repeat once every month, which changes the interface such 
that I’m now asked if it should be on the 11th of every 
month—that is, on the same date—or on the second Friday 
of every month, relative to the month. If I choose the first, 


Only one can 
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of the pack. 


The new wire-speed load balancer from 
Coyote is a gigabit Layer7 solution with 
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resources so scarce and limited, does this 
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my iCalendar file looks like this: 


BEGIN: VCALENDAR 
VERSION 
28 
PRODID 
:-//Mozilla.org/NONSGML Mozilla Calendar V1.0//EN 
BEGIN: VEVENT 
UID 
:05e55cc2-1dd2-11b2-8818-f578cbb4b77d 
SUMMARY 
‘LJ deadline 
STATUS 
: TENTATIVE 
CLASS 
:PRIVATE 
X-MOZILLA-ALARM-DEFAULT-LENGTH 
10 
X-MOZILLA-RECUR-DEFAULT-UNITS 
:months 
RRULE 
: FREQ=MONTHLY ; INTERVAL=1 
DTSTART 
:20050211T140000 
DTEND 
:20050211T150000 
DTSTAMP 
:20050211T132231Z 
LAST-MODIFIED 
:20050211T153505Z 
END: VEVENT 
END: VCALENDAR 


Notice how an RRULE property has been added, with val- 
ues of FREQ=MONTHLY and INTERVAL=1. You might 
imagine that if I were to change this deadline to be every two 
weeks, it would be FREQ=WEEKLY and INTERVAL=2. This 
is true, except that it also adds a BYDAY=FR field, indicating 
that the event happens on Fridays. 

If I choose to make this event occur on the second Friday 
of each month, the iCalendar file looks like this: 


BEGIN: VCALENDAR 
VERSION 
12.0 
PRODID 
:-//Mozilla.org/NONSGML Mozilla Calendar V1.0//EN 
BEGIN: VEVENT 
UID 
:05e55cc2-1dd2-11b2-8818-f578cbb4b77d 
SUMMARY 
:LJ deadline 
STATUS 
: TENTATIVE 
CLASS 
:PRIVATE 
X-MOZILLA-ALARM-DEFAULT-LENGTH 
10 
X-MOZILLA-RECUR-DEFAULT-UNITS 
‘months 


RRULE 
: FREQ=MONTHLY ; INTERVAL=1 ; BYDAY=2FR 
DTSTART 
:20050211T140000 
DTEND 
:20050211T150000 
DTSTAMP 
:20050211T132231Z 
LAST-MODIFIED 
:20050211T153824Z 
END: VEVENT 
END: VCALENDAR 


Notice how RRULE property now is FREQ=MONTHLY, 
because this happens every month, with an INTERVAL=1. 
Also notice that BYDAY=2FR has been added, meaning that 
the event takes place on the second Friday of each month. 

Finally, let’s take advantage of Sunbird’s ability to have 
remote calendars by moving this file out of our directory and 
onto another system. I move the CalendarDataFile7 ics file, 
which was so named because it was the seventh calendar I cre- 
ated, to /tmp. I then copy it to my Web site so it can be avail- 
able at the URL http://reuven lerner.co.il/CalendarDataFile7 ics. 
I double-check that the file is available from this URL by trying 
to download it using wget. When I see that it works fine, I 
know I can put this information into Sunbird. 

Now I go into Sunbird and delete the ATF calendar; 
Sunbird won’t let you remove the filename of an existing 
local calendar. I then choose subscribe to remote calendar 
from the File menu, and enter the URL at which I have 
placed my .ics file. Once the calendar has been downloaded, 
I see the LJ deadline event on my calendar each month, 
exactly as if it were on my local machine. And, in fact, if 
you look in the Calendar directory, you can see that the file 
is on your local machine. It has been downloaded and 
installed into that directory, and it can be refreshed whenever 
you request. Simply right-click on the calendar name and 
select reload remote calendar. 


Conclusion 
Our investigation of hybrid desktop-Web applications has begun 
with an examination of the iCalendar/vCalendar file format, 
using the Mozilla standalone Sunbird application. We were able 
to create different types of events and then move the resulting 
iCalendar file from our local machine to a remote server. 

However, our calendar is static, meaning that someone has 
to modify it by hand or by uploading a calendar file each time 
it changes. In my next column, we will learn how to create 
iCalendar files dynamically, using a Web/database application. 
We then will look at different ways in which calendars created 
on one computer can be written to a server and shared with 
other people. 

Resources for this article: www.linuxjournal.com/article/ 
8128.8 


Reuven M. Lerner, a longtime Web/database con- 
sultant and developer, now is a graduate student in 
the Learning Sciences program at Northwestern 
University. His Weblog is at altneuland.lerner.co.il, 
and you can reach him at reuven@lerner.co.il. 
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Kprobes—A 
Kernel 
Debugger 


Looking for a way to use some of the same 
debugging techniques in the kernel that you apply 
in user-space code? Here’s how to bring debugging 
support to tricky kernel development problems. 
BY R. KRISHNAKUMAR 


probes is a mechanism used to register breakpoints 

and corresponding handlers. After enabling Kprobes 

support in the kernel, we can debug any instruction 

at any kernel address. This article explains how to 
compile a kernel with Kprobes and how to register and unreg- 
ister Kprobes, using a live example. It also covers the concept 
of debugging the kernel, plus internal operations of the 
Kprobes framework and its features. 

To get started, suppose we are trying to debug a specific 
instruction at an address location in the kernel. Using the facili- 
ties provided by Kprobes, we can execute three functions, 
namely, pre-handler, post-handler and fault handler. The pre- 
handler function is executed before the execution of the 
instruction at the debugged memory location takes place. The 
post-handler executes after the instruction being debugged is 
executed. The fault handler is executed if the instruction leads 
to a fault. 

To explain further, let’s look at an example. Suppose we 
want to debug the instruction at location x. Let the instruction 
at location x be i. The function to be executed before i is exe- 
cuted, the pre-handler, is named pre_x. The function to be exe- 
cuted after the i is executed, the post-handler, is named post_x. 
The fault handler itself is fault_x. 

Before i is executed, Kprobes runs the pre_x function. In 
the pre_x function we can do some necessary debugging 
actions, such as checking the contents of various registers and 
manipulating the registers. After the pre_x finishes executing, i 
executes, followed by post_x. The fault handler comes into the 
picture when the instruction i causes an operating system fault. 
If the fault occurs due to the execution of i, the fault handler, 
fault_x, is called. 


Features 

A debugging console is not necessary when using Kprobes. 
This is a significant design point, because it results in minimal 
system dependencies for operation. It therefore allows debug- 
ging to be performed at interrupt time, during context switches, 
when the system is disabled for interrupts and so on. 


In addition, no forced serialisation of system processes is 
required for operation. In particular, in an SMP environment no 
interprocessor serialisation is required. 

Another important feature of Kprobes is that data can be 
extracted by a probe handler and saved in a buffer. This is sig- 
nificant for later examination of data from a crashdump or data 
dumped to the console at a consistent time. 


How to Enable Kprobes Support in the Kernel 

After being out-of-tree patches for a long time, Kprobes finally 
was included in the vanilla Linux kernel. This article covers 
the core Kprobes functionality included as of kernel version 
2.6.9. Many other features are supported by Kprobes, and they 
are available as patches from the Kprobes Web site (see the on- 
line Resources). 

Download the vanilla kernel from www.kernel.org. While 
configuring the kernel, go to the Kernel Hacking submenu. 
Enable Kernel debugging, and then choose the Kprobes option. 
Compile the kernel with this configuration and boot it. 

After we have enabled Kprobes, we can use various kernel 
APIs to register and unregister it. The function used to register 
Kprobe is register_kprobe. This function takes the pointer to a 
structure called struct kprobe. The definition of the structure is: 


struct kprobe { 
struct hlist_node hlist; 
kprobe_ opcode t *addr; 
kprobe_pre_handler_t pre_handler; 
kprobe_post_handler_t post_handler; 
kprobe_fault_handler_t fault_handler; 
kprobe_break_handler_t break_handler; 


kprobe_opcode_t opcode; 
kprobe_opcode_t insn[MAX_INSN_SIZE]; 


In the struct we can specify the following: 
1. The address on which Kprobe has to be set (addr). 
2. The pre-handler to be executed (pre_handler). 
3. The post-handler to be executed (post_handler). 
4. The fault handler to be executed (fault_handler). 

To unregister Kprobe, you can use unregister_kprobe, 
which takes the same argument as register_kprobe. 

The prototype of register_kprobe and unregister_kprobe is 
simple: 


int register_kprobe(struct kprobe *p); 
void unregister_kprobe(struct kprobe *p); 


You can find these definitions in include/linux/kprobes.h. 


Live Action 

Let’s look at a real example of the process of kernel debugging 
using Kprobes. We begin by inserting the function we are 
going to debug. The code to do this is as follows, I have added 
the line numbers for reference: 
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/* Filename: first.c */ 


#include <Linux/module.h> 
#include <lLinux/init.h> 


int hello_to_debug (void) 
{ 
printk("\nFrom the function - %s\n", 
_ FUNCTION _); 


WO AN DUN BRWN 


a 
foo} 


return 0; 


PPP 
WnP 
~ 


static void exit_to_debug (void) 


{ 


PPR 
un Sf 


printk("\nModule exiting \n"); 


PPP 
onan 
w~ 


static int init_to_debug(void) 


{ 


NR 
loo} 


printk("\nKeeping the function to debug" 
"\nat the kernel address %p\n", 
hello_to_debug) ; 

return 0; 
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EXPORT_SYMBOL(hello_to_debug) ; 
module_init(init_to_debug) ; 
module_exit(exit_to_debug) ; 


wn rv NY 
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MODULE_AUTHOR ("Krishnakumar. R, 
<rkrishnakumar@gmail.com>") ; 

MODULE_DESCRIPTION ("Kprobes test module") ; 

MODULE_LICENSE("GPL") ; 


www 
Wn Be 


Suppose we need to debug the function given in line 6, 
hello_to_debug. Begin by compiling the above code and insert 
it as a module. The EXPORT_SYMBOL directive at line 26 


makes sure that the rest of the kernel code can see this function. 


Now, insert Kprobe at the location to be debugged, the 
function hello_to_debug: 


/* Filename: kprobes.c */ 
#include <lLinux/module.h> 
#include <linux/init.h> 


#include <Linux/kprobes.h> 


static struct kprobe kpr; 
extern int hello_to_debug(void) ; 


WO ON DN BP WN 


a 
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static void __exit exit_probe(void) 


{ 


PR 
NB 


printk("\nModule exiting \n"); 
unregister_kprobe(&kpr) ; 


PPP Pe 
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static int before _hook(struct kprobe *kpr, 
struct pt_regs *p) 


PPP 
wo on 
a“ 


printk("\nBefore hook"); 


20 printk("\nThis is the Kprobe pre \n" 
24 "handler for instruction at \n" 
22 "%p\n", kpr->addr) ; 

23 printk("The registers are:\n"); 

24 printk("eax=%1x, ebx=%1lx, ecx=%1lx, \n" 
25 "edx=%Lx\n", p->eax, p->ebx, 
26 p->ecx, p->edx); 

27 printk("eflags=%1Lx, esp=%1x\n", 

28 p->eflags, p->esp); 

29 return 0; 

30 } 

31 

32 static int after_hook(struct kprobe *kpr, 

33 struct pt_regs *p, 

34 unsigned long flags) 

35° { 

36 printk("\nAfter hook") ; 

37 printk("\nThis is the Kprobe post \n" 
38 "handler for instruction at" 

39 "“%p\n", Kpr->addr) ; 

40 printk("The registers are:\n"); 

41 printk("eax=%1x, ebx=%1lx, ecx=%1x, \n" 
42 "edx=%1x\n", p->eax, p->ebx, 
43 p->ecx, p->edx); 

44 printk("eflags=%Lx, esp=%1x\n", 

45 p->eflags, p->esp); 

46 return 0; 

47 } 

48 

49 static int __init init_probe(void) 

50 { 

51 printk("\nInserting the kprobes \n"); 
52 /* Registering a kprobe */ 

53 kpr.pre_handler = 

54 (kprobe_pre_handler_t)before_hook; 
55 kpr.post_handler = 

56 (kprobe_post_handler_t)after_hook; 
57 kpr.addr = 

58 (kprobe_opcode_t *)(&hello_to_debug) ; 
59 printk("\nAddress where the kprobe is \n" 
60 "going to be inserted - %p\n", 
61 kpr.addr) ; 

62 register_kprobe(&kpr) ; 

63 return 0; 

64 } 

65 


66 module_init(init_probe) ; 
67 module_exit(exit_probe) ; 


68 
69 MODULE_AUTHOR ("Krishnakumar. R, 
70 <rkrishnakumar@gmail.com>") ; 


71 MODULE_DESCRIPTION ("Kprobes test module") ; 
72 MODULE_LICENSE("GPL") ; 


Line 57 specifies the address location where Kprobe should 
be set. Lines 53 and 55 specify the pre-handler and the post- 
handler functions, which should be activated corresponding to 
the address location. Line 62 registers Kprobe. So, when the 
above code is compiled and inserted as a module, Kprobe is 
registered at the hello_to_debug function. When the module is 
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unloaded, Kprobe is unregistered, as shown in line 13. 
Now we have to invoke the function we are debugging. 
This is done with the following code: 


/* Filename: call.c */ 


#include <linux/module.h> 
#include <linux/init.h> 


extern int hello_to_debug (void) ; 


static void __exit exit_to_debug(void) 


{ 


WON DYN BRWNY 


Re 
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printk("\nModule exiting \n"); 
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static int 


{ 


__init init_to_debug (void) 


PR 
wu 


printk("\nCalling the function \n"); 
hello_to_debug(); 
return 0; 
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module_init(init_to_debug) ; 
module_exit(exit_to_debug) ; 


NNN 
wn 


MODULE_AUTHOR ("Krishnakumar. R, 

<rkrishnakumar@gmail.com>") ; 
MODULE_DESCRIPTION ("Kprobes test module") ; 
MODULE_LICENSE ("GPL") ; 


NNN 
nu fs 


Line 16 here calls the function we are debugging. The 
Kprobes framework invokes the pre-handler prior to the execu- 
tion of the function, and the post-handler is invoked after the 
execution of the instruction under debug. We then can print the 
register contents and Kprobe information. The following is the 
transcript of messages I received after compiling and inserting 
the above modules. 

Inserting the first module: 

[root@kk code]# /sbin/insmod first.ko 


Keeping the function to debug 
at the kernel address c883a000 


Inserting the Kprobes placing module: 
[root@kk code]# /sbin/insmod kprobes.ko 
Inserting the kprobes 


Address where the kprobe is 
going to be inserted - c883a000 


Calling the function under debug: 
[root@kk code]# /sbin/insmod call.ko 


Calling the function 


Before hook 

This is the Kprobe pre 

handler for instruction at 
c883a000 

The registers are: 

eax=17, ebx=c47ba000, ecx=c1264090, 
edx=c47ba000 

eflags=296, esp=c884000f 


After hook 

This is the Kprobe post 

handler for instruction at c883a000 
The registers are: 

eax=17, ebx=c47ba000, ecx=c1264090, 
edx=c47ba000 

eflags=196, esp=c883a09e 


From the function - hello_to_debug 


Breakpoints and Debuggers 

To understand better how Kprobes works, we should know the 
general concept of breakpoints, because Kprobes makes use of 
the same mechanism. A breakpoint is a mechanism provided by 
the hardware in most processors that we can use for debugging. 
For now, we are going to consider the x86 architecture. The 
instruction set for the processor provides a breakpoint instruc- 
tion, and this instruction generates a breakpoint exception. 
Thus, control is transferred to the breakpoint exception handler. 
Most debuggers use this facility. 

Suppose the debugger makes use of the breakpoint mecha- 
nism to debug. If it has to debug an instruction at a particular 
location, it replaces the corresponding instruction with the 
breakpoint instruction. The breakpoint instruction then gener- 
ates the exception. The debugger contains a provision to be 
informed whenever such an exception is generated. The debug- 
ger then takes the necessary debugging steps, such as printing 
out the register values and manipulating them, as well as 
replacing the instruction with the original instruction. After 
this, execution of the instruction proceeds as usual. 


Pre-Handler 
When we register a pre-handler, what actually happens is 
Kprobes replaces the instruction at the memory location with a 
breakpoint instruction. The instruction that was present there is 
saved for later reference. 

The following lines from the function int 
register_kprobe(struct kprobe *p) in the kernel/kprobes.c do 
this: 


p->opcode = *p->addr; 
*p->addr = BREAKPOINT_INSTRUCTION; 


Hence, whenever control reaches the particular location, the 
breakpoint exception occurs. The default breakpoint exception 
handler is modified by Kprobes. The modified exception han- 
dler checks whether the address has an instance of Kprobe 
associated with it. If there is an associated Kprobe, the excep- 
tion handler executes the pre-handler. Otherwise, control is 
transferred to the normal breakpoint exception handler. If 
Kprobe is registered for that particular location, it prepares the 
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processor to call the post-handler, which takes over once the 
pre-handler has executed. 

The function responsible for handling the breakpoint is list- 
ed below: 


asmlinkage int do_int3(struct pt_regs *regs, 
long error_code) ; 


and the function that invokes the pre-handler is here: 
static inline int kprobe_handler(struct pt_regs *regs); 


Post-Handler 

The post-handler is executed after the instruction with which 
we associate the probe has executed. To facilitate this, the 
Kprobes framework gets some help from the hardware, specifi- 
cally from a processor feature called trap generation. 

If we have set the trap flag of the processor, it generates a 
trap exception after every instruction. After the pre-handler 
is run, the Kprobes framework sets the trap flag. It then 
replaces the breakpoint instruction with the original instruc- 
tion. The function that prepares for the post-handler is 
presented below: 


static inline void prepare _singlestep(struct kprobe *p, 
struct pt_regs *regs); 


After the instruction we are debugging has executed, the 
processor generates a trap exception. The function responsible 
for the exception handling of the trap generation looks like 
this: 


asmlinkage void do_debug(struct pt_regs * regs, 
long error_code); 


and the function that does the necessary activities for the 
Kprobes post-handler is: 


static inline int post_kprobe handler(struct pt_regs *regs); 


The post_kprobe_handler function calls the post-handler 
that we have registered for that particular probe. 


Fault Handler 

The fault handler is executed whenever a fault is generated 
when executing the instruction under debug. The function 
responsible for Kprobes’ activities on faults looks like this: 


static inline int kprobe_fault_handler(struct pt_regs *regs, 
int trapnr); 


This function is called under two circumstances: 
1. Whenever a general protection fault occurs, 
do_general_protection, and we know that it has been 


generated by a Kprobes instruction. 


2. Whenever a device-not-available fault generation occurs, and 
we know it has been generated by a Kprobes instruction. 


In either of these cases, the fault handler can be used to dis- 
cover what went wrong. 


Conclusion 

The Kprobes patch helps a kernel developer debug any address 
within the kernel. Various patches are available from the 
Kprobes home page, including ones for setting watch points 
and for debugging user address locations. With proper use, 
Kprobes can become a powerful weapon in any kernel devel- 
oper’s arsenal. 
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Crossing Platforms 


Marcel takes a tour of a variety of games from a classic genre. Quick! 


Jump! BY MARCEL GAGNE 


areful, Francois, you’re going 

too fast! You’re going to fall 

in...too late. Ah, mon ami, 

you have lost another life to 
the deep-blue sea. In fact, you have 
lost all four, which means it is my 
turn. I know we are playing a game, 
but we also are sampling the fare on 
tonight’s menu, mon ami, testing it as 
part of Chez Marcel’s extensive quali- 
ty control. Still, our guests will be 
here shortly, and I have yet to select 
a wine. 


Modello Italian red. 

My faithful waiter and I were look- 
ing at examples of a particular type of 
video game often referred to as a plat- 
form game. The idea of these games is 
fairly simple, and most tend to be 
scrolling two-dimensional affairs. While 
moving from level to level, searching 
for or collecting objects as you go, your 
player must run, jump and avoid objects 
or enemies. To do so invariably involves 
climbing or jumping across platforms 
that make it possible to move from one 
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Figure 1. Scavenger is an excellent homage to the old Lode Runner. 


They are here already? My apolo- 
gies, mes amis, we are somewhat dis- 
tracted. Welcome to Chez Marcel, where 
fine wines always accompany fine 
Linux fare. Quick, Francois, to the wine 
cellar. Given the light nature of tonight’s 
menu, we need something that’s light 
and easy-drinking. Bring back the 2001 


place to another. This type of game has 
been around for years but continues to 
be popular, and new ones are created all 
the time. This also is true in the Linux 
world. 

Many years ago, when this humble 
Chef was quite a bit younger, I was 
hooked on a game called Lode Runner. 


Dave Ashley’s excellent Scavenger is 
similar to this classic game and is great 
fun to play (Figure 1). The idea is sim- 
ple. You run around climbing ladders, 
shimmying across ropes and running 
from one platform to another, collecting 
gems while avoiding the bad guys. 
Depending on what is beneath your feet 
at the time, you also have the ability to 
dig holes, either for escape or to trap 
enemies. 

Get your copy of X Scavenger by 
heading to the Scavenger Web site 
(see the on-line Resources), where 
you'll find the latest source. I have 
found that many contrib sites also 
offer precompiled binaries of the pro- 
gram, so you may want to look in 
your favorite distribution’s offerings. 
That said, building Scavenger from 
source is not difficult. It’s a slight 
variation on our classic extract-and- 
build process: 


tar -xzvf xscavenger-1.4.4.tgz 
cd xscavenger-1.4.4/src 

xmkmt 

make 

su -c "make install" 


The command name is scavenger, so 
that is what you have to run to start the 
game. It starts in demo mode, so you 
can watch the action and get a feel for 
how it works. Pressing FI starts your 
game at your highest level; if this is the 
first time you are playing, you start at 
level 1. 

Game controls are on the numeric 
keypad, though the cursor keys work 
for moving left, right, up and down. 
Two additional functions are provided 
for digging to the left and to the right. 
If you don’t like the default key map- 
ping, which is a problem on a note- 
book keyboard, and already are play- 
ing a game, press Esc and then press 
the spacebar. This takes you to the 
configuration menu. Now, press F10 
to remap your keyboard. I left the cur- 
sor keys as is for movement, but I 
chose the A key to dig left and the D 
key to dig right. 

While you are busy remapping your 
keyboard, you might notice some other 
interesting options here. For instance, 
you can choose to demo various levels. 
Pressing F7 or F8 lets you go up or 
down levels in the demo mode. 
Possibly my favorite feature, though, is 
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Figure 2. Your job, soldier, is to rescue the MIA blobs. Any questions? 


the level editor. Simply press F3 and you can create your own 
Scavenger levels, a great way to eat up your time. 

There’s nothing like a nice, friendly game to whet your 
appetite. It is extremely tempting for me to add a smiley some- 
where in the last sentence, partly due to the next platform game 
I want to tell you about, a game of smileys gone bad. The 
game is called Blob Wars: Metal Blob Solid, from Parallel 
Realities, and it’s one of the stranger games I’ve played. 

Blob Wars is a rescue-the-MIAs game with a bizarre 
twist. All of the characters are smileys, blobs if you will, 
and your task as Blob Soldier Bob is to traverse various 
unfriendly but occasionally nice-looking areas searching for 
other soldiers being held prisoner. Your job is to run your 
smiley soldier, firing various weapons—make sure you pick 
up the laser—at your opponents, jumping from platform to 
platform as you try to complete your mission without being 
destroyed (Figure 2). 

Precompiled RPMs and Debian packages are available from 
the Parallel Realities Web site, as is a source package should 
you need or want to compile the program yourself. You need 
the various SDL development libraries, but otherwise it’s quite 
simple, only four steps: 


tar -xzvf blobwars-1.02-1.tar.gz 
cd blobwars-1.02 

make 

su -c "make install" 


To play, launch the command blobwars. When the game 
starts, you are presented with a menu from which you can 
start a new game or continue one already in progress. The 
Options menu lets you switch from windowed to full-screen 
mode. You also can adjust the volume of both the sound and 
music track, as well as the brightness level. In addition, you 
can decide whether you want to have the blood and gore 
turned on. Yes, as you fire on enemy blobs, they scream and 
explode into a bloody fireworks display. Sure, it’s a little over 
the top, but the game is great fun. Really. 

You then are presented with a map identifying several 


Why settle for 
plain vanilla... 
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Yes, as you fire 
on enemy blobs, 
they scream and 
explode into a 
bloody fireworks 
display. 


locations where MIAs are being held. 
Each location constitutes a mission. In 
the course of the rescue operation, a 
number of useful objects are there for 
the taking. These could be a jet pack, 
laser guns, grenades or keys to open 
doors. Sometimes you pick up these 
objects from fallen enemies. When you 
find an MIA, simply walk over to it 
and it is beamed away from the action. 
As a Star Trek fan from way back, I 
loved the transporter graphics and 
sound effects. 

Could we possibly do justice to a 
menu of Linux platform games with- 
out including Tux, our favorite mas- 
cot? SuperTux is a classic jump-and- 
run platform game in the style of, you 
guessed it, Super Mario Bros. Under 
Tobias (Tobgle) Glaesser’s lead, but 
originally created by Bill Kendrick, 
the current alpha release of SuperTux 
is guaranteed to provide you with 
hours of fun. Don’t let that first alpha 
milestone fool you—this is a great 
game, one you absolutely need to 
check out. 

The story goes like this: Tux and 
Penny (Tux’s love interest) are out on 
a nice date when Tux is knocked out 
and his lovely Penny is penguinnapped 
by the evil Nolok. Held prisoner in 
Nolok’s equally evil fortress, Tux must 
brave all sorts of perils to save his 
lovely lady. It is your job to help Tux 
succeed in his quest (Figure 3). 

Binary packages for a variety of 
distributions and platforms are avail- 
able at the SuperTux Web site (see 
Resources), so there may be no need 
to build from source. Should you 
decide to go that route, though, build- 
ing SuperTux is a classic extract-and- 
build five-step: 
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Figure 3. Can Tux save his beloved Penny from the evil Nolok? 


tar -xjvf supertux-0.1.2.tar.bz2 
cd supertux-0.1.2 

./configure 

make 

su -c "make install" 


The game can be played entirely 
with cursor keys, but joysticks and 
gamepads also are supported. Start the 
program by running the supertux 
command. The program starts with a 
handful of choices, such as jumping 
right into the game, loading a couple 
of bonus levels or creating your own, 
a little something for later. You also 
can set various options, including 
OpenGL support, sound and music set- 
tings and so on. 

The play is fast and fun. Jump over 
the many enemies to avoid them. 
Objects are at different levels, so you 
climb or jump onto platforms to get 
from one obstacle to another. Collect 
gold coins as you go. Smash ice blocks 
with Tux’s head to discover power flow- 
ers or ice balls that transform him into 
SuperTux, a being of enhanced strength 
and power! When you complete a level, 
you are transported to the next, more 
complicated level. I’m still on level four 
as I write this. 

Oh, no! Knocked out by that sliding 


ice block again. I think it’s definitely 
time for a refill, Francois. Given the 
theme of this last game, I think you 
should serve the Baked Alaska now. 
I also see that closing time is nearly 
upon us, but have no fear, mes amis. 
We will keep the doors open and the 
wine flowing. There is no hurry. 
Besides, the Baked Alaska needs 
to be eaten and Penny needs to be 
saved before Frangois and I can 
close the restaurant for the night. 
Therefore, mes amis, let us all drink 
to one another’s health. A votre santé! 
Bon appétit! 

Resources for this article: 
www.linuxjournal.com/article/8129.4 
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Securing Your 
WLAN with 
WPA and 
FreeRADIUS, 
Part Il 


The new generation of security for wireless net- 
works doesn’t simply fix WEP’s flaws—it enables 
you to use your RADIUS server to authenticate 
wireless users. BY MICK BAUER 


ast month, I described the new wireless LAN security 
protocol, Wi-Fi Protected Access (WPA). I showed 
how it adds strong and flexible authentication, plus 
dynamic encryption-key negotiation, to the otherwise- 
insecure WEP protocol. I also showed how WPA’s component 
protocols, including 802.1x, the various flavors of EAP and 
RADIUS, interrelate. In this month’s column I start to show 
how to create your own authentication server for WPA and 
other 802.1x scenarios, using FreeRADIUS and OpenSSL. 


Quick Review 
WPA, you may recall, is more modular than WEP. Whereas 
authentication and encryption in WEP both are achieved 
through a shared secret used by all wireless clients, authentica- 
tion in WPA normally is achieved by using the 802.1x proto- 
col. The pre-shared key (PSK) mode, which works more like 
WEP, also is an option. With WPA, unique encryption keys for 
each client are generated dynamically and refreshed periodical- 
ly by the access point. 

802.1x is a flexible authentication protocol that depends on 
the Extensible Authentication Protocol (EAP). Many different 
flavors of EAP, including EAP-TLS and PEAP, are supported 
in WPA-enabled products. If you choose to skip 802.1x and 
deploy WPA in the much simpler PSK mode, which gives you 
dynamic encryption key generation but exposes authentication 
credentials by transmitting them in clear text, all you need to 
do is configure your access point and wireless clients with the 
same pre-shared key. 

If, however, you want to use WPA to its full potential by 
employing the much-stronger authentication mechanisms in 
802.1x, you need a RADIUS server. Commercial tools are 


available for this work, such as Funk Software’s Steel Belted 
RADIUS. But if you prefer a free and open-source RADIUS 
application, FreeRADIUS supports all major flavors of EAP 
and is both stable and secure. Here’s how you can put it to 
work. 


Our Usage Scenario 

Naturally, I don’t have enough space to describe all possible 
uses of FreeRADIUS with 802.1x or even specifically with 
wireless scenarios. Therefore, let’s start with a description of 
an example usage scenario that subsequent procedures can 
implement. 

The most important choice to make when implementing 
WPA is which flavor of EAP to use. This is limited not only 
by what your RADIUS server software supports but also by 
your client platforms. Your wireless access point, interestingly, 
is EAP-agnostic—assuming it supports 802.1x and/or WPA in 
the first place. It simply passes EAP traffic from clients to 
servers, without requiring explicit support for any particular 
EAP subtype. 

What your client platform supports is a function both of 
your client operating system and of its wireless hardware. For 
example, a Microsoft Windows XP system with an Intel 
Pro/2100 (Centrino) chipset supports EAP-TLS and PEAP, but 
EAP-TTLS isn’t an option. But if you run Linux with 
wpa_supplicant (see the on-line Resources), you have a much 
wider range of choices available. 

In our example scenario, I cover EAP-TLS. EAP-TLS 
require client certificates, which in turn require you to set up a 
certificate authority (CA). But there are several good reasons to 
use EAP-TLS. First, EAP-TLS is supported widely. Second, 
TLS (X.509 certificate) authentication provides strong security. 
Third, it really doesn’t require that much work to use OpenSSL 
to create your own CA. 

Our example scenario, therefore, involves Windows XP 
clients using EAP-TLS to connect to a WPA-enabled access 
point. The access point, in turn, is configured to authenticate 
off of a FreeRADIUS 1.0.1 server running Linux. 


Getting and Installing FreeRADIUS 

SUSE 9.2, Fedora Core 3 and Red Hat Enterprise Linux each 
has its own FreeRADIUS RPM package, called freeradius. 
Debian Sarge (Debian-testing) has a DEB package by the same 
name. With Red Hat, Fedora and Debian-testing, additional 
packages are available if you want to use a MySQL authentica- 
tion database. In addition, Debian-testing has a few other fea- 
tures broken out into still more packages. With all four distri- 
butions, however, the only package you should need for 802.1x 
authentication is the base freeradius package. If your favorite 
Linux distribution doesn’t have its own FreeRADIUS package, 
or if it does but not a recent enough version to meet your 
needs, you can download the latest FreeRADIUS source code 
from the Web site (see Resources). 

Compiling FreeRADIUS is simple: it’s the common 
./configure && make && make install routine. If you’re 
new to the compiling game, see the source distribution’s 
INSTALL file for more detailed instructions. You should 
execute the configure and make commands as some non-root 
user and execute only make install as root. 

Notice that, by default, the configure script installs 
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FreeRADIUS into subdirectories of 
/usr/local. Because the Makefile has no 
uninstall action, I recommend leaving 
this setting unchanged, as it simplifies 
removing FreeRADIUS later, should 
that become necessary. 


Creating a Certificate Authority 
Before we configure FreeRADIUS, we 
need to create some certificates. And 
before we create any certificates, we 
must create our CA. My book Linux 
Server Security contains a section in 
Chapter 5 titled “How to Become a 
Small-Time CA”, which goes into more 
depth than I can go into right now, but 
here’s a crash course nonetheless. 

First, what is a CA and where should 
it reside? A CA is a system that acts as 
the root of a public key infrastructure. 
It’s the central authority that vouches, 
by way of digital signatures, for the 
authenticity of all certificates issued in 
your organization. It also periodically 
issues certificate revocation lists 
(CRLs), lists of certificates the CA no 
longer vouches for, for example, certifi- 
cates issued to people who’ ve left the 
organization, servers that are no longer 
on-line and so on. 

None of this requires your CA to act 
as an actual server; in fact, it’s better if 
it doesn’t. For a CA to be trustworthy, it 
must be protected carefully from mis- 
use. My own CAs, therefore, tend to 
reside on systems I only periodically 
connect to the network, such as 
VMware virtual machines. 

You already may have a CA that 
you ve used to create certificates for 
Web servers, stunnel or other applica- 
tions that use TLS. If so, you can use it 
for WPA too. If not, here’s how to create 
a CA. First, make sure your designated 


CA system has OpenSSL installed. 
OpenSSL is a standard package on all 
popular Linux distributions, not to men- 
tion FreeBSD, OpenBSD and the like. 
One quick way to make sure you have 
OpenSSL is to issue the command 
which openss1—this returns the path to 
your OpenSSL command, if it’s 
installed. 

Next, change your working directory 
to wherever your system keeps 
OpenSSL’s configuration and certificate 
files. On SUSE, this is /etc/ssl, but this 
location varies by distribution. Doing a 
search for the file openssl.cnf should 
bring you to the correct place. 

Now, open the file openssl.cnf with 
your text editor of choice. We need to 
tweak some default settings to make 
certificate creation speedier later on. 
Listing 1 shows the lines in openssl.cnf 
I like to change. 

Next, we should edit the CA creation 
script to change our CA’s root directory 
to something other than demoCA, that 
is, to match the dir variable we just 
changed in openssl.cnf. I use the script 
CA.sh, which on SuSE systems is locat- 
ed in /usr/share/ssl/misc but may reside 
elsewhere on your system. The line you 
need to change is CATOP=./micksCA. 

If you changed your working directo- 
ry to edit this file, change back to your 
SSL configuration directory, for example, 
/etc/ssl. From there, run the CA.sh script 
with the -newca option, for example, 
/usr/share/ssl/misc/CA.sh -newca. 
You then are prompted to create a new 
root certificate and to type a passphrase 
for its private key. Choose a difficult-to- 
guess passphrase, and write it down in a 
safe place—if you forget it, you'll be 
unable to use your CA. 

After the script is done, your SSL 


Listing 1. Changes to openssl.cnf for Optimal Certificate Creation 


# First we change the CA root path in the CA default 
# section to reflect the CA we're about to create 


[ CA_default ] 
dir = ./micksCA 


# Where everything is kept 


# The following lines are further down in openssl.cnf: 


countryName_default = US 
stateOrProvinceName_default = Minnesota 
0.organizationName_default = Industrial Wiremonkeys of the World 


configuration directory should contain a 
new directory, micksCA in our example. 
At the root level of this directory is your 
new CA’s public certificate; by default 
this file is named cacert.pem. As I 
demonstrate later, you need to copy this 
file to your FreeRADIUS server and to 
each wireless client. 

There’s one more thing you need to 
do before creating certificates if you’ve 
got Windows XP wireless clients. 
Windows XP expects certain attributes in 
server and client certificates, so you need 


Listing 2. Contents of xpextensions 


[ xpelientlext] 
extendedKeyUsage = 1.3.6.1.5.5.7.3.2 


[| xpserver_ext | 
extendedKeyUsage = 1.3.6.1.5.5.7.3.1 


to create a file called xpextensions that 
contains the lines shown in Listing 2. 

The xpextensions file is referenced 
in some of the OpenSSL commands I’m 
about to show you. It should reside in 
the same directory as openssl.cnf. 


How EAP-TLS Works 


In EAP-TLS, a wireless client and your 
RADIUS server mutually authenticate 
each other. They present each other 
with their respective certificates and 
cryptographically verify that those 
certificates were signed by your 
organization's certificate authority. In 
some ways, this is an elegant and 
simple way to handle authentication. 
After you install the CA’s public cer- 
tificate on the FreeRADIUS server, 


you don’t need to configure any 
other client information explicitly, 
such as user names, passwords and 
So on. 


That doesn’t mean EAP-TLS is less 
work than user name-password 
schemes, however. You still need to 
use OpenSSL to create certificates 
for all your users and copy those 
certificates over to them. You also 
need to ensure that everyone has a 
copy of the root CA certificate 
installed in the proper place. 
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Why buy more Servers 


when all you need 
is more Disks? 


Linux + Disks + Ethernet = EtherDrive’ 


Disks go inside servers... right? If you run out of disk space 
you get another server... right? Well, that used to be the 
case, but not any more. Now you can expand the disk 
space on any server with EtherDrive Storage Blades. 


EtherDrive Storage Blades are simple and easy to use. And 
the best part is, you already know how. An EtherDrive 
Storage Blade is a disk drive mounted on a very small 
server attached directly to your network. Each blade is a 
nanoserver, with firmware that puts the disk’s storage right 
on your network. No IP addresses. Just disks on the 
network accessible by your servers. 


Just Disk Drives on Ethernet 


The open protocol, ATA-over-Ethernet, allows the most in 
flexibility and operalion simplicily. Since ElherDrive blades 
just look like local disks, you already know how to use them. 
Use any file system software. Use any RAID software, or 
Coraid’s open source RAIDBlade appliance. Use any 
volume management soflware. It’s all up lo you lo decide 
how to organize your disks. And, since the protocol is open, 
you know everything about how it works. The protocol is 
simple, only 8 pages. The open source device driver means 
you never have lo look al the protocol. Bul isn’t it good lo 
know you can? 


Complete Control 


You have complete control over the contents of the disk 
EtherDrive doesn’t store anything on your disks that you 
don't want. You can take a disk from a running system, 
install iton an EtherDrive Storage Blade, and mount it. That 
means you are always in control. No data reformatting. No 
captive data. Just disk drives on the network. You never 
have to worry about getting your data off of an EtherDrive 
Blade if it fails. Just mount the disk on a system or another 
Blade and you're back in business 


EtherDrive Storage Blades insert into a shelf of 10 slols. 
Using 400GB ATA disks you can have 4TB in one 3U rack 
space. You can add up to 4,095 shelves on a single network. 
That means you can have servers sharing more than 16 
Pelabyles.....Imagine thal. 


40,000 Disks on Your Servers 


A system that can go from a couple of disks, all the way to 
40,000 disks, in whatever increment you want. That's 
probably more than you'll ever need, but isn’t that the idea of 
scalability? Since our shelves mount in simple relay racks, 
just like your switches, you never run out of room. Never 
have your data captive inside one server's chassis. Never 
have to fork lift obsolete systems. Never have to buy more 
servers when all you necd is more disks. 


Processing Power with Each Blade 


EtherDrive Storage Blades can go fast, too. Since each 
blade has its own cpu, memory and Ethernet interface, they 
can all work independently or in unison. Striping software 
can read/write blades in parallel. The wider the stripe, the 
faster the 1/O. 


Each Blade isn't limited to a single server, either. Many 
servers can access the same group of EtherDrive Storage 
Blades. They can share read-only file systems or use 
available soflware like Red Hal's GFS lo share read/wrile file 
systems. 


Using EtherDrive Storage Blades you only add pennies to 
the cost of the raw storage. Less than $0.65 per 
Gigabyte. 


CORAID 


www.coraid.com 
info@coraid.com 
1-877-548-7200 


TOOLBOX PARANOID PE NsGelshN 


Creating Certificates 

For EAP-TLS, you need at least two certificates besides your 
CA certificate, a server certificate for your FreeRADIUS server 
and one client certificate for each wireless client on your net- 
work. Creating certificates is a three-step process: 


1. Generate a signing request, that is, an unsigned certificate. 
2. Sign the signing request with your CA key. 
3. Copy the signed certificate to the host on which it will be used. 


Let’s start by creating a server certificate signing request 
using OpenSSL’s req command: 


$ openssl req -new -nodes -keyout server_key.pem \ 
-out server_req.pem -days 730 -config ./openssl.cnf 


This command creates the files server_req.pem, which 
contains the actual request —an unsigned certificate—and 
server_key.pem, its passphrase-less private key. First, though, you 
are prompted for your organization’s Country Code, State and so 
on, much of which can use the default values you tweaked in 
openssl.conf. Pay special attention, however, to Common Name. 
When prompted for this, type the fully qualified domain name of 
your server, for example, server.wiremonkeys.org. 

Next, let’s use our CA key to sign the request by using 
OpenSSL’s ca command: 


$ openssl ca -config ./openssl.cnf \ 

-policy policy_anything -out server_cert.pem \ 
-extensions xpserver_ext -extfile ./xpextensions \ 
-infiles ./server_req.pem 


This command reads the file server_req.pem and, after 
prompting for your CA key’s passphrase, saves a signed ver- 
sion of it plus its corresponding private key to the file 
server_cert.pem. Notice the -extensions and -extfile options — 
this is why earlier we created the file xpextensions. 

Open your signed certificate with the text editor of your choice 
and delete everything before the line - - -- - BEGIN CERTIFICATE----- ; 
Concatenate it and your key into a single file, like this: 


$ cat server_key.pem server.cert.pem > \ 
server_keycert.pem 


Now we’ve got a server certificate with a key that we can 
copy over to our FreeRADIUS server. Its private key isn’t 
password-protected, however, so be sure to delete any extrane- 
ous copies after you’ve got it in place. 

Now we need to create a client certificate signing request. 
The OpenSSL command to do this is similar to that used to 
create server certificates: 


$ openssl req -new -keyout client_key.pem \ 
-out client_req.pem -days 730 -config ./openssl.cnf 


As you can see, we’re writing our signing request and 
key to the files client_req.pem and client_key, respectively. 
Unlike with the server signing requests, however, we’re 


> 
i -/ 


omitting the -nodes option. Therefore, when you run this 
command, you are prompted for a passphrase with which the 
certificate’s private key can be encrypted. 

Next we sign the client certificate’s signing request: 


$ openssl ca -config ./openssl.cnf \ 

-policy policy_anything -out client_cert.pem \ 
-extensions xpclient_ext -extfile ./xpextensions \ 
-infiles ./client_req.pem 


Again, this is similar to the equivalent command for our 
server, except this time the -extensions command references 
a different entry in xpextensions. Also, if your clients run 
Linux, you should delete the extraneous stuff in the certifi- 
cate, like you did with server_cert.pem. You then either can 
leave the certificate and key files separate or concatenate 
them. From there, copy your client certificate file(s) to your 
Linux client system. 

If your certificate is to be used by a Windows XP client, 
you have one more step to take. You need to convert the cer- 
tificate file(s) to a PKCS12-format file, with this command: 


openssl pkcsl2 -export -in client_cert.pem \ 
-inkey client_key.pem -out client_cert.p12 -clcerts 


You are prompted for client_key.pem’s passphrase and then 
for a new passphrase for the new file; you can use the same 
password as before if you like. You may be tempted simply to 
press Enter instead, especially given that the WPA supplicant in 
Windows XP works only when you store its certificates with- 
out passphrases. It’s very, very bad practice, however, to move 
private keys around networks unprotected, so I strongly recom- 
mend that you not remove the passphrase until after this file is 
copied safely over to your Windows XP client. 

Lest you be tempted to take this opportunity to bash 
Microsoft, I must note that on Linux both Xsupplicant and 
wpa_supplicant require you either to use a blank passphrase or 
store the passphrase in clear text in a configuration file. This is 
contrary to good certificate-handling wisdom. I hope we some 
day see WPA supplicants intelligent enough to prompt the user 
for its certificate passphrase on startup. 

The resulting file, in this example client_cert.p12, contains 
both your signed certificate and its private key. Copy it to your 
Windows XP client system. 


Conclusion 
We’ ve installed FreeRADIUS, created a certificate authority, 
generated server and client certificates and transferred them to 
their respective hosts. But we’re not done yet. We still need to 
configure FreeRADIUS, our access point and our wireless 
clients. We’ll do all that next time. Until then, be safe! 
Resources for this article: www.linuxjournal.com/article/ 
8134.8 


Mick Bauer, CISSP is Linux Journal's security editor 
and an IS security consultant in Minneapolis, 

Minnesota. O'Reilly & Associates recently released 
the second edition of his book Linux Server Security } 
(January 2005). Mick also composes industrial polka 
music but has the good taste seldom to perform it. 
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Things You 
Should 
Never Do in 
the Kernel 


How do you read and write files from a kernel 
module? Wait, make that: “How would you read 
and write files from a kernel module if that weren’t 
a bad thing to do?” BY GREG KROAH-HARTMAN 


n Linux kernel programming mailing lists oriented 

toward new developers (see the on-line Resources), 

a number of common questions are asked. Almost 

every time one of these questions is asked, the 
response always is, “Don’t do that!”, leaving the bewildered 
questioner wondering what kind of strange development com- 
munity they have stumbled into. This is the first in an occa- 
sional series of articles that attempts to explain why it general- 
ly is not a good idea to do these kinds of things. Then, in order 
to make up for the chastising, we break all of the rules and 
show you exactly how to do them anyway. 


Read a File 

The most common question asked in this don’t-do-that category 
is, “How do I read a file from within my kernel module?” Most 
new kernel developers are coming from user-space programming 
environments or other operating systems where reading a file is 
a natural and essential part of bringing configuration information 
into a program. From within the Linux kernel, however, reading 
data out of a file for configuration information is considered to 
be forbidden. This is due to a vast array of different problems 
that could result if a developer tries to do this. 

The most common problem is interpreting the data. Writing a 
file interpreter from within the kernel is a process ripe for prob- 
lems, and any errors in that interpreter can cause devastating 
crashes. Also, any errors in the interpreter could cause buffer 
overflows. These might allow unprivileged users to take over a 
machine or get access to protected data, such as password files. 

Trying to protect the kernel from dumb programming errors 
is not the most important reason for not allowing drivers to 
read files. The biggest issue is policy. Linux kernel program- 
mers try to flee from the word policy as fast as they can. They 
almost never want to force the kernel to force a policy on to 
user space that can possibly be avoided. Having a module read 
a file from a filesystem at a specific location forces the policy 
of the location of that file to be set. If a Linux distributor 
decides the easiest way to handle all configuration files for the 
system is to place them in the /var/black/hole/of/configs, this 


kernel module has to be modified to support this change. This 
is unacceptable to the Linux Kernel community. 

Another big issue with trying to read a file from within the 
kernel is trying to figure out exactly where the file is. Linux 
supports filesystem namespaces, which allow every process to 
contain its own view of the filesystem. This allows some pro- 
grams to see only portions of the entire filesystem, while others 
see the filesystem in different locations. This is a powerful fea- 
ture, and trying to determine that your module lives in the 
proper filesystem namespace is an impossible task. 

If these big issues are not enough, the final problem of how to 
get the configuration into the kernel is also a policy decision. By 
forcing the kernel module to read a file every time, the author is 
forcing that decision. However, some distributions might decide 
it is better to store system configurations in a local database and 
have helper programs funnel that data into the kernel at the prop- 
er time. Or, they might want to connect to an external machine in 
some manner to determine the proper configuration at that 
moment. Whatever method the user decides to employ to store 
configuration data, by forcing it to be in a specific file, he or she 
is forcing that policy decision on the user, which is a bad idea. 


But How Do | Configure Things? 

After finally understanding the Linux kernel programmer’s 
aversion to policy decisions and thinking that those idealists are 
out of their mind, you still are left with the real problem of how 
to get configuration data into a kernel module. How can this be 
done without incurring the wrath of an angry e-mail flame war? 

A common way of sending data to a specific kernel module 
is to use a char device and the ioctl system call. This allows the 
author to send almost any kind of data to the kernel, with the 
user-space program sending the data at the proper time in the 
initialization process. The ioctl command, however, has been 
determined to have a lot of nasty side effects, and creating new 
ioctls in the kernel generally is frowned on. Also, trying prop- 
erly to handle a 32-bit user-space program making an ioctl call 
into a 64-bit kernel and converting all of the data types in the 
correct manner is a horrible task to undertake. 

Because ioctls are not allowed, the /proc filesystem can be 
used to get configuration data into the kernel. By writing data 
to a file in the filesystem created by the kernel module, the ker- 
nel module has direct access to it. Recently, though, the proc 
filesystem has been clamped down on by the kernel develop- 
ers, as it was horribly abused by programmers over time to 
contain almost any type of data. Slowly this filesystem is being 
cleaned up to contain only process information, such as the 
names of filesystem states. 

For a more structured filesystem, the sysfs filesystem pro- 
vides a way for any device and any driver to create files to 
which configuration data may be sent. This interface is preferred 
over ioctls and using /proc. See previous articles in this column 
for how to create and use sysfs files within a kernel module. 


1 Want to Do This Anyway 
Now that you understand the reasoning behind forbidding the 
ability to read a file from a kernel module, you of course can 
skip the rest of this article. It does not concern you, as you are 
off busily converting your kernel module to use sysfs. 

Still here? Okay, so you still want to know how to read a 
file from a kernel module, and no amount of persuading can 
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convince you otherwise. You promise never to try to do this in 
code that will be submitted for inclusion into the main kernel 
tree and that I never described how to do this, right? 

Actually, reading a file is quite simple, once one minor 
issue is resolved. A number of the kernel system calls are 
exported for module use; these system calls start with sys_. So, 
for the read system call, the function sys_read should be used. 

The common approach to reading a file is to try code that 
looks like the following: 


fd = sys_open(filename, O_RDONLY, 0); 
if (fd >= 0) { 
/* read the file here */ 
sys_close(fd); 


However, when this is tried within a kernel module, the 
sys_open() call usually returns the error -EFAULT. This causes 
the author to post the question to a mailing list, which elicits the 
“don’t read a file from the kernel” response described above. 

The main thing the author forgot to take into consideration 
is the kernel expects the pointer passed to the sys_open() func- 
tion call to be coming from user space. So, it makes a check of 
the pointer to verify it is in the proper address space in order to 
try to convert it to a kernel pointer that the rest of the kernel 
can use. So, when we are trying to pass a kernel pointer to the 
function, the error -EFAULT occurs. 


Fixing the Address Space 


} 
set_fs(old_fs); 


An example of an entire module that reads the file 
/etc/shadow and dumps it out to the kernel system log, proving 
that this can be a dangerous thing to do, can be seen below: 


#include <linux/kernel.h> 
#include <linux/init.h> 
#include <linux/module.h> 
#include <linux/syscalls.h> 
#include <linux/fcntl.h> 
#include <asm/uaccess.h> 


static void read_file(char *filename) 
{ 

int fd; 

char buf[1]; 


mm_segment_t old_fs = get_fs(); 
set_fs(KERNEL_DS) ; 


fd = sys_open(filename, O_RDONLY, 0); 
if (fd >= 0) { 
printk (KERN_DEBUG) ; 
while (sys_read(fd, buf, 1) == 1) 
printk("%c", buf[@]); 
printk("\n") ; 


To handle this address space mismatch, 
use the functions get_fs() and set_fs(). 
These functions modify the current pro- 
cess address limits to whatever the 
caller wants. In the case of sys_open(), 
we want to tell the kernel that pointers 
from within the kernel address space are 
safe, so we call: 


set_fs(KERNEL_DS) ; 


| 


The only two valid options for the 
set_fs() function are KERNEL_DS and 
USER_DS, roughly standing for kernel 
data segment and user data segment, 
respectively. 

To determine what the current address 
limits are before modifying them, call the 
get_fs( function. Then, when the kernel 
module is done abusing the kernel API, it 
can restore the proper address limits. 

So, with this knowledge, the proper 
way to write the above code snippet is: 
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old_fs = get_fs(); 
set_fs(KERNEL_DS); 


fd = sys_open(filename, O_RDONLY, 0); 
if (fd >= 0) { 
/* read the file here */ 
sys_close(fd) ; 
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sys_close(fd); 
} 
set_fs(old_fs); 


} 
static int __init init(void) 
{ 
read_file("/etc/shadow") ; 
return 0; 
} 


static void __exit exit(void) 


{ } 


MODULE_LICENSE("GPL") ; 
module_init(init); 
module_exit(exit) ; 


But What about Writing? 

Now, armed with this newfound knowledge of how to abuse 
the kernel system call API and annoy a kernel programmer at 
the drop of a hat, you really can push your luck and write to a 
file from within the kernel. Fire up your favorite editor, and 
pound out something like the following: 


old_fs = get_fs(); 
set_fs(KERNEL_DS) ; 


fd = sys_open(filename, O_WRONLY|O_CREAT, 0644); 
if (fd >= 0) { 
sys_write(data, strlen(data) ; 
sys_close(fd) ; 
} 
set_fs(old_fs); 


The code seems to build properly, with no compile time 
warnings, but when you try to load the module, you get this 
odd error: 


insmod: error inserting 'evil.ko': -1 Unknown symbol in module 


This means that a symbol your module is trying to use has 
not been exported and is not available in the kernel. By look- 
ing at the kernel log, you can determine what symbol that is: 


evil: Unknown symbol sys_write 


So, even though the function sys_write is present in the 
syscalls.h header file, it is not exported for use in a kernel mod- 
ule. Actually, on three different platforms this symbol is export- 
ed, but who really uses a parisc architecture anyway? To work 
around this, we need to take advantage of the kernel functions 
that are available to kernel modules. By reading the code of how 
the sys_write function is implemented, the lack of the exported 
symbol can be thwarted. The following kernel module shows 
how this can be done by not using the sys_write call: 


#include <linux/kernel.h> 
#include <linux/init.h> 
#include <linux/module.h> 


#include <linux/syscalls.h> 
#include <linux/file.h> 
#include <linux/fs.h> 
#include <linux/fcntl.h> 
#include <asm/uaccess.h> 


static void write_file(char *filename, char *data) 
{ 

struct file *file; 

loff_t pos = 0; 

int fd; 


mm_segment_t old_fs = get_fs(); 
set_fs(KERNEL_DS) ; 


fd = sys_open(filename, O_WRONLY|O_CREAT, 0644); 
if (fd >= 0) { 
file = fget(fd); 
if (file) { 
vfs_write(file, data, strlen(data), &pos); 
fput (file); 
} 
sys_close(fd) ; 


} 
set_fs(old_fs); 


static int 
{ 
write _file("/tmp/test", "Evil file.\n"); 
return 0; 


__init init(void) 


static void __exit exit(void) 


{ } 
MODULE_LICENSE("GPL") ; 
module_init(init); 


module_exit(exit) ; 


As you can see, by using the functions fget, fput and 
vfs_write, we can implement our own sys_write functionality. 


I Never Told You about This 


In conclusion, reading and writing a file from within the ker- 
nel is a bad, bad thing to do. Never do it. Ever. Both modules 
from this article, along with a Makefile for compiling them, 
are available from the Linux Journal FTP site, but we expect 
to see no downloads in the logs. And, I never told you how to 
do it either. You picked it up from someone else, who learned 
it from his sister’s best friend, who heard about how to do it 
from her coworker. 


Resources for this article: www.linuxjournal.com/article/ 
8130.4 


Greg Kroah-Hartman is one of the authors of Linux Device 
Drivers, 3rd edition and is the kernel maintainer for more driver 
subsystems than he likes to admit. He works for SUSE Labs, doing 
various kernel-specific things and can be reached at 
greg@kroah.com for issues unrelated to this article. 
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L’Inspired 


How can desktop and laptop hardware vendors 
become profitable again? Linspire suggests 
grabbing some of the desktop software business. 
BY DOC SEARLS 


fter years gunning up and down the runway, it 

looks like Linux on the laptop finally may take 

off. I sensed some lift under the wings just in the 

first few months of this year. We reviewed HP’s 
first Linux laptop in January 2005, and we’re told more are 
on the way. Novell, which last year made a public commit- 
ment to running their entire company on Linux, made that 
commitment visible at LinuxWorld Expo in February 2005. 
A large percentage of the computers in the Novell booth 
were IBM ThinkPads in the same T40 family as my own 
(an EmperorLinux Toucan). By the time I left, the Novell 
folks had upgraded my SUSE 9.1 to the company’s own 
SUSE 9.2-based Novell Desktop. I’m still shaking down a 
few minor glitches, but overall it works remarkably well. 
As a constant traveler who connects to the Net by ad hoc 
Wi-Fi, I’m in love (no pun intended) with Robert Love’s 
netapplet, which comes standard with the Novell Linux 
Desktop. See the description and screenshot in this issue’s 
Upfront section. 

At Apachecon last fall, I detected a drop in the percentage 
of Apple Mac OS X PowerBooks, clearly the preferred box 
the year prior, and a rise in the percentage of Linux laptops. 
The consensus, among those I talked to about it, was that 
Linux was getting better for laptops. Power control with the 
2.6 kernel got some of the credit, as did a growing assortment 
of available device drivers. And, so did a maturing portfolio of 
applications that offer straight-up alternatives to familiar 
goods on OS X and Microsoft Windows —or, better yet, appli- 
cation bridges to Linux. OpenOffice.org is an obvious exam- 
ple, but there are others, such as Nvu, the Web-authoring tool 
I’m using right now. 

But the drag persists on the hardware side, where we’re 
still repurposing Windows laptops for Linux. It’s not going 
to be easy to break free of that. The reasons are economic, 
not technical. 

Ever since “PC Compatible” became “Designed for 
Windows”, development of desktops and laptops at all the 
big hardware OEMs has started with Microsoft, not anybody 
else. Certainly not Linux. Every laptop “designed for 
Windows XP” bears Microsoft branding as bold as the 
maker’s own. This is branding of the same literal sort that 
ranchers practice when they burn their symbols on the hides 
of cattle. (In fact, cattle ranching is where the “branding” 


concept came from.) 

Branding agreements are just the obvious side of the 
Windows Laptop Story. The invisible side is much more 
interesting. For example, I’d been told before—always on a 
not-for-attribution basis—that Microsoft has a long-standing 
policy of using “marketing dollars” to keep hardware OEMs 
profitable. Of course, it’s been easy for Microsoft to do that, 
because their margins have always been huge. But it’s not 
something anybody on either side of the arrangement would 
be eager to talk about. 

One CEO who’s not in one of those arrangements is 
Michael Robertson, founder and CEO of Linspire. I talked 
with Michael this February at the Desktop Summit, which 
Linspire hosts, in San Diego. “There are all sorts of economic 
ties involved here that aren’t readily transparent’, he said. 
“They have the OEMs strung out on marketing dollars and 
kickbacks and stuff like that. Marketing dollars make their 
business barely viable. We had a top-ten desktop guy come to 
us and say, ‘We really want to do Linux, but we’re concerned 
that if we do this— whether it’s allowed or not—it’ll upset 
Microsoft and we’ll lose these revenues.’” 

But the PC hardware business is becoming more unprof- 
itable by the day. “Look at IBM-Lenovo”, Robertson said. 
IBM agreed to sell its PC business to Lenovo, the People’s 
Republic of China’s largest PC builder, at the end of last year. 
“IBM has lost $33 on every PC they’ve sold”, Robertson 
said. “We’re to a breaking point where some of the OEMs out 
there are saying, ‘Enough is enough. I have to get at least $50 
better economics.’ What can they do? Manufacture in China? 
Use cheaper parts? They already do that. They need cheaper 
software. Same with HP. If the PC business was doing well, 
Carly would still have a job. What they need now is a piece 
of the software business.” 

It isn’t easy for any company, even a desperate one, to 
leave money on the table. But that’s exactly what Linspire 
is asking the hardware OEMs to do. “They have to really 
believe that the Linux opportunity is sufficiently large to 
trump that guaranteed check they get from Microsoft”, 
Robertson said. 

So far, none of the OEMs has budged. At least not in a way 
anybody’s ready to talk about. Meanwhile, Linspire plugs 
away. “It’s a case of moving up the ecosystem”, Robertson 
said. “We work with VIA, the motherboard company. They’re 
happy to work with us. That domino fell. Then the AMD domi- 
no. They’re happy to work with us too.” 

I talked with folks at the AMD and VIA booths at the 
Desktop Summit, and it was clear that both companies 
savored the freedom and opportunity that come with opting 
not to run their goods through the Microsoft mill. Their 
attitude was much the same as I saw from the makers of 
Linux-based home media centers at CES one month earlier 
(see “The No-Party System”, in the April 2005 issue of 
Linux Journal). 

I asked Michael Robertson about NVIDIA and ATI, the big 
graphics subsystem companies. He smiled and said, “Other 
dominoes will fall too. The last will be the major record labels. 
The clue phone has to be ringing so loud they have no choice 
but to answer it.” 

Robertson has a lot of experience in the record business. 
He founded MP3.com and got rich by selling it to a record 
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company that went on to kill it. Now he’s back in the business 
again, with a companion to Linspire called MP3tunes. But 
where Linspire goes straight after Microsoft’s business, 
MP3tunes goes straight after Apple’s. 

Like Apple’s iTunes, MP3tunes is a store where you can 
sample and buy music. Unlike iTunes, MP3tunes sells music 
without any digital rights management (DRM). Where Apple 
sells music encoded at 128kb AAC, MP3tunes sells music 
encoded at 198kb MP3. Where Apple sells songs at $.99 each 
and $9.99 per album, MP3tunes’ prices are $.88 and $8.88. 
And where Apple’s store lives in an application that runs only 
on Windows and OS X, MP3tunes lives in a wide-open Web 
site, in addition to Linspire’s Lsongs (which runs on Linux 
and works like Apple’s iTunes). Michael Robertson: “Does 
the world need another music store? Yes. Because most of 
them are rental shops. They control what you can do with it, 
what you can copy it to. I think if you pay money for music, 
you should be able to use it any way you want, on any 
device....I like the model where, if you pay for the music, it’s 
yours. Forever.” 

MP3tunes also distributes music from CD Baby, a company 
that leaves all rights with the artist and takes only a 9% distri- 
bution fee. Customers also get an MP3tunes “music locker” 
that remembers everything bought from the service. This 
allows the customers to download the same songs again, as 
many times as they like, to any device. 

Naturally, Robertson sees Apple as no less controlling 
toward the music business than Microsoft is toward the operat- 
ing system business: 


It’s not iTunes. It’s theirTunes. Apple’s controlling whether you 
can play it on this portable device, whether you can copy it toa 
Linux computer— which you can’t, by the way. I did send an e- 
mail to Steve Jobs, saying “Hey Steve, how about supporting 
AAC and iTunes on Linux?” To give him credit, he did reply 
back to me...a one-word answer. It was “Nope.” That’s it. Not 
even a hi or a bye. Just “Nope.” 


MP3tunes is fighting Apple on the playback side as well. 
Where iTunes is designed to run only on iPods and the PCs 
to which they attach, MP3tunes supports playing any music 
on any device. 

At the show, they demonstrated that advantage with a 
new product called MP3beamer. It’s a Linux-based music 
storage system that distributes music over Wi-Fi. You can 
buy the software on-line for $69.95 ($10 more in a box). 
Or, you can buy hardware with the software pre-installed. 
The demo hardware at the show was a compact $399 box 
from sub300.com—and a Linksys Wi-Fi boom box. The 
Linksys comes with a display that shows the tunes being 
played (along with other information) and a remote control 
that operates the base unit through the boom box. The 
Linksys also has audio-out plugs you can run into a 
home stereo. 

I also was curious at the show to see how Linspire’s 
newest distro version worked on the VIA-based eCom note- 
book computer they had loaned me two years ago. Kendall 
Dawson, a “community liaison” specialist with Linspire, 
helped me out by bringing a CD drive to the show, attaching 
it to the notebook (it doesn’t have an internal drive) and load- 


ing the Linspire 5.0 beta distro. Everything went smoothly, 
and the rejuvenated notebook immediately met my minimum 
laptop requirements: 1) it saw and connected to the Net 
through the Wi-Fi card in its PCMCIA slot; 2) it hibernated 
when the lid closed and returned to its full waking state when 
the lid opened; and 3) it let me obtain and install the small 
pile of software I wanted to run—and did it far more easily 
than any Linux distro I’ve ever used. 

There were still a few small problems. It didn’t recog- 
nize my digital camera’s memory card when I plugged a 
reader in to a USB port. Same with the Flash memory stick 
that also serves as the laptop-side interface for a remote 
controller I use to operate slideshows. Then again, it’s not 
easy to get my ThinkPad T40 running SUSE (9.1) to do the 
same things. 

The Linspire laptop also immediately ran CNR (Click 
°N Run), a software warehouse and installation system for 
more than 2,000 packages, most of which are free (as in 
beer). I logged in, it remembered me, and I have been 
downloading stuff ever since. The system is the first I’ve 
seen that actually does a simpler and easier job of installing 
software than Windows or even OS X. Because Linspire is 
built on Debian, it manages packages with apt-get. Earlier 
versions had standalone apt-get functionality, but because 
users run as root in Linspire, this caused problems. So 
apt-get functionality is commented out in 5.0. Expert users, 
of course, can fix that. 

What encouraged me most at the show, however, wasn’t on 
the floor. It was at a tour of Linspire’s offices. At one end of a 
long open space cluttered with desks and geek debris was a 
counter populated by about 15 laptops and notebooks, each 
with performance charts taped to their lids. All the units were 
going through QA testing and burn-in on Linspire 5.0. I felt 
like I was watching Invasion of the Body Snatchers, except in 
this case, the invaders were the good guys. 

They’re making headway. The $199 Linux box that Fry’s 
Electronics advertises almost every week comes with Linspire 
as the default OS. Linspire is also on a $498 laptop sold at 
WalMart.com. Recently I also received a confidential report 
about Linspire running on desktops in a large company. When I 
asked Michael Robertson about that, he said, “We’re in a lot 
more companies than you’d think.” But he declined to name 
names to spare those companies unwanted visits from 
Microsoft sales people. 

Two years ago, at the first Summit, my only problem with 
Linspire was its narrow focus on end users, almost to the 
exclusion of the established Linux community. Since then, 
they’ve become much more friendly to the community, though 
I think they still could do more. For example, I’d like to see 
them showing up at other Linux and open-source events and 
working more with publications and Web sites that serve the 
Linux community. 

The idea here is for Linspire to get adoption by the hard- 
core experts who read Linux Journal. It’s to provide those 
experts with a version of Linux they can give to their non- 
expert parents and friends. If you want Linux adoption, there’s 
no better leverage than you’ll get from a Linux expert.# 


Doc Searls is Senior Editor of Linux Journal. 
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FEATURE DEVELOPMENT 


InfiniBand and Linux 


Learn why letting a remote system on the network scribble on your 
memory is fine, how user-space applications can send data without 
bothering the kernel and more facts about the new high-performance 
interconnect. BY ROLAND DREIER 


fter a long gestation, use of 
InfiniBand (IB) is taking off, Table 1. Comparison Chart 


and work is under way to add 


physical level, IB is similar to PCI 


Express. It carries data using multiple USB 12Mb/s 
high-speed serial lanes. The first ver- 
sions of the InfiniBand specification Hi-Speed USB (USB 2.0) 480Mb/s 
allowed only for the same signaling rate 
for each lane, 2.5Gb/s, as PCI Express. IEEE 1394 (FireWire) 400Mb/s 
The latest version of the specification 
(1.2), however, adds support for 5Gb/s Gigagbit Ethernet 1,000Mb/s (cat5 cable) 
and 10Gb/s rates per lane. Also, IB sup- 
ports widths of 1X, 4X, 8X and 12X, 10 Gigabit Ethernet 10,000Mb/s copper IB cable), 1+ km 
while PCI Express supports X1, X2, X4, al) 
X8, X12, X16 and X32. The most com- 
monly used IB speed today is 4X at a Myrinet 2,000Mb/s copper), 200m (optical) 
2.5Gb/s/lane rate, or 10Gb/s total. But 
the 12X width combined with the 1X InfiniBand 2,000Mb/s copper), 1+ km (optical) 
10Gb/s/lane rate means the current IB 
spec supports links with an astonishing AX InfiniBand 8,000Mb/s copper), 1+ km (optical) 
120Gb/s of throughput. 
Because IB is used to build network 12X InfiniBand 24,000Mb/s copper), 1+ km (optical) 


fabrics, IB supports both copper and 
optical cabling, while the PCI Express 
cable specification still is being devel- 
oped. Most IB installations use copper 
cable (Figure 1), which can be used for 
distances up to about 10 meters. IB also 
allows a variety of optical cabling 
choices, which theoretically allow for 
links up to 10km. 

In past years, IB was pitched as a 
replacement for PCI, but that no longer 
is expected to be the case. Instead, IB 
adapters should continue to be peripher- 
als that connect to systems through PCI, 
PCI Express, HyperTransport or a simi- 
lar peripheral bus. 

The network adapters used to attach 
systems to an IB network are called host 
channel adapters (HCAs). In addition to 
the fabric’s extremely high speed, IB 
HCAs also provide a message passing 


interface that allows systems to use the : et 

10Gb/sec or more throughput offered by 

InfiniBand. To make use of IB’s speed, Figure 1. Top to bottom: Cat 5 Ethernet Cable, 4X InfiniBand Cable and 12x InfiniBand Cable (US quarter coin 
supporting zero-copy networking is key; included for scale) 
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otherwise, applications will spend all their time copying data. 

The HCA interface has three key features that make zero- 
copy possible: a high-level work queue abstraction, kernel 
bypass and remote direct memory access (RDMA). The work 
queue abstraction means that instead of having to construct and 
process network traffic packet by packet, applications post 
work requests to queues processed by the HCA. A message 
sent with a single work request can be up to 4GB long, with 
the HCA taking care of breaking the message into packets, 
waiting for acknowledgements and resending dropped packets. 
Because the HCA hardware takes care of delivering large mes- 
sages without any involvement from the CPU, applications 
receive more CPU time to generate and process the data they 
send and receive. 

Kernel bypass allows user applications to post work 
requests directly to and collect completion events directly from 
the HCA’s queues, eliminating the system call overhead of 
switching to and from the kernel’s context. A kernel driver sets 
up the queues, and standard memory protection is used to make 
sure that each process accesses only its own resources. All fast 
path operations, though, are done purely in user space. 

The final piece, RDMA, allows messages to carry the 
destination address to which they should be written in mem- 
ory. Specifying where data belongs is useful for applications 
such as serving storage over IB, where the server’s reads 
from disk may complete out of order. Without RDMA, either 
the server has to waste time waiting when it has data ready 
to send or the client has to waste CPU power copying data to 
its final location. 

Although the idea of remote systems scribbling on memory 
makes some queasy, IB allows applications to set strict address 
ranges and permissions for RDMA. If anything, IB RDMA is 
safer than letting a disk controller DMA into memory. 

Beyond its high performance, IB also simplifies building 
and managing clusters by providing a single fabric that can 
carry networking and storage traffic in addition to cluster com- 
munication. Many groups have specified a wide variety of 
upper-level protocols that can run over IB, including: 


m [P-over-InfiniBand (IPoIB): the Internet Engineering Task 
Force (IETF) has a working group developing standards- 
track drafts for sending IP traffic over IB. These drafts even- 
tually should lead to an RFC standard for IPoIB. IPoIB does 
not take full advantage of IB’s performance, however, as 
traffic still passes through the IP stack and is sent packet by 
packet. IPoIB does provide a simple way to run legacy 
applications or send control traffic over IB. 


= Sockets Direct Protocol (SDP): the InfiniBand Trade 
Association itself has specified a protocol that maps stan- 
dard socket operations onto native IB RDMA operations. 
This allows socket applications to run unchanged and still 
receive nearly all of IB’s performance benefits. 


m SCSI RDMA Protocol (SRP): the InterNational Committee 
for Information Technology Standards (INCITS) T10 com- 
mittee, which is responsible for SCSI standards, has pub- 
lished a standard for mapping the SCSI protocol onto IB. 
Work is under way on developing a second-generation 
SRP-2 protocol. 
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Many other groups also are studying and specifying the use 
of IB, including APIs from the DAT Collaborative and the 
Open Group’s Interconnect Software Consortium, RDMA bind- 
ings for NFS and IB support for various MPI packages. 

Of course, without open-source support, all of these fancy 
hardware capabilities are a lot less interesting to the Linux 
world. Fortunately, the OpenIB Alliance is an industry consor- 
tium dedicated to producing exactly that—a complete open- 
source IB stack. OpenIB currently has 15 member companies, 
including IB hardware vendors, server companies, software 
companies and research organizations. 

Work on the OpenIB software began in February 2004, and 
the first kernel drivers were merged into the main kernel tree in 
December 2004, right after the tree opened for 2.6.11 follow- 
ing the release of 2.6.10. The first batch of code merged into 
the kernel is the smallest set of IB drivers that do something 
useful. It contains a midlayer to abstract low-level hardware 
drivers from upper-level protocols, a single low-level driver for 
Mellanox HCAs, an IPoIB upper-level protocol driver and a 
driver to allow a subnet manager to run in user space. 

A few snippets of code from the IPoIB driver should provide 
some understanding of how one can use the kernel’s IB support. 
To see this code in context, you can look at the complete IPoIB 
driver, which is in the directory drivers/infiniband/ulp/ipoib in 
the Linux kernel source. 

Listing 1 shows what the IPoIB driver does to allocate all 


Listing 1. IPoIB Driver Initialization 


struct ib_qp_init_attr init_attr = { 
.cap = { 


.max_send_wr 
.max_recv_wr 
.max_send_sge 
.max_recv_sge 


= IPOIB TX _RING SIZE, 
= IPOIB_RX RING SIZE, 
= ‘il, 
= fi 


Ma 

.sq_sig_type = IB_SIGNAL_ALL_WR, 
.rq_sig_type = IB _SIGNAL_ALL_WR, 
-qp_type = IB_QPT_UD 

1 


priv->pd = ib_alloc_pd(priv->ca) ; 


priv->cq = ib create _cq(priv->ca, 
jpoib_ib_completion, 
NULL, dev, 
IPOIB_TX_RING_SIZE + 
TPROLBERXSRINGESUZE pe) 5 


if (ib_req_notify_cq(priv->cq, IB_CQ_NEXT_COMP) ) 
goto out_free_cq; 


priv->mr = ib_get_dma_mr(priv->pd, 
IB_ACCESS_LOCAL_WRITE) ; 


init_attr.send_cq = priv->cq; 
init_attr.recv_cq = priv->cq, 


priv->qp = ib create qp(priv->pd, &init_attr); 


of its IB resources. First, it calls ib_alloc_pdQ, which allocates 
a protection domain (PD), an opaque container that every user 
of IB must have to hold other resources. 

By the way, proper error checking has been omitted from 
the listings, although any real kernel code must check the 
return values of all functions for failure. All of the IB functions 
that allocate resources and return pointers use the standard 
Linux method for returning errors by way of the ERR_PTR(Q) 
macro, which means that the status can be tested with 
IS_ERR(). For example, the call to ib_alloc_pd() in the real 
kernel actually looks like: 


priv->pd = ib_alloc_pd(priv->ca); 
if (IS_ERR(priv->pd)) { 
printk(KERN_WARNING "%s: failed " 
"to allocate PD\n", ca->name) ; 
return -ENODEV; 


Next, the driver calls ib_create_cq(), which creates a com- 
pletion queue (CQ). The driver requests that the function 
ipoib_ib_completion() be called when a completion event 
occurs and that the CQ be able to hold at least 
IPOIB_TX_RING_SIZE + IPOIB_RX_RING_SIZE + 1 work 
completion structures. This size is required to handle the 
extreme case when the driver posts its maximum number of 
sends and receives and then does not get to run until they all 
have generated completions. Confusingly enough, CQs are the 
one IB resource not associated with a PD, so we don’t have to 
pass our PD to this function. 

Once the CQ is created, the driver calls ib_req_notify_cq() 
to request that the completion event function be called for the 
next work completion added to the CQ. The event function, 
ipoib_ib_completion(), processes completions until the CQ is 
empty. It then repeats the call to ib_req_notify_cq() so it is 
called again when more completions are available. 

The driver then calls ib_get_dma_mr() to set up a memory 
region (MR) that can be used with DMA addresses obtained 
from the kernel’s DMA mapping API. Translation tables are set 
up in the IB HCA to handle this, and a local key (L_Key) is 
returned that can be passed back to the HCA in order to refer 
to this MR. 

Finally, the driver calls ib_create_qp() to create a queue pair 
(QP). This object is called a queue pair because it consists of a 
pair of work queues—one queue for send requests and one queue 
for receive requests. Creating a QP requires filling in the fairly 
large ib_qp_init_attr struct. The cap structure gives the sizes of the 
send and receive queues that are to be created. The sq_sig_type 
and rq_sig_type fields are set to IB_SIGNAL_ALL_WR so that 
all work requests generate a completion. 

The qp_type field is set to IB_QPT_UD so that an unreli- 
able datagram (UD) QP is created. There are four possible 
transports for an IB QP: reliable connected (RC), reliable data- 
gram (RD), unreliable connected (UC) and unreliable datagram 
(UD). For the reliable transports, the IB hardware guarantees 
that all messages either are delivered successfully or generate 
an error if an unrecoverable error, such as a cable being 
unplugged, occurs. For connected transports, all messages go 
to a single destination, which is set when the QP is set up, 
while datagram transports allow each message to be sent to a 
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different destination. 

Once the IPoIB driver has created its QP, it uses the QP to 
send the packets given to it by the network stack. Listing 2 shows 
what is required to post a request to the send queue of the QP. 


Listing 2. IPoIB Driver Send Request Posting 


priv->tx_sge.lkey = priv->mr->1lkey; 
priv->tx_sge.addr = addr; 
priv->tx_sge.length = len; 
priv->tx_wr.opcode = IB_WR_SEND; 
priv->tx_wr.sg list = opnivostKaseer 
priv->tx_wr.num_sge = ile 
priv->tx_wr.send_flags = IB_SEND_SIGNALED; 
priv->tx_wr.wr_id = wr_id; 
priv->tx_wr.wr.ud.remote_qpn = qpn; 
priv->tx_wr.wr.ud.ah = address; 


ib_post_send(priv->qp, &priv->tx_wr, &bad_wr); 


First, the driver sets up the gather list for the send request. 
The lkey field is set to the L_Key of the MR that came from 
ib_get_dma_mr(). Because the IPoIB is sending packets that 
are in one contiguous chunk, the gather list has only a single 
entry. The driver simply has to assign the address and length of 
the packet. The address in the gather list is a DMA address 
obtained from dma_map_single() rather than a virtual address. 
In general, software can use a longer gather list to have the 
HCA collect multiple buffers into a single message to avoid 
having to copy data into a single buffer. 

The driver then fills in the rest of the fields of the send work 
request. The opcode is set to send, sg_list and num_sge are set for 
the gather list just filled in and the send flags are set to signaled 
so that the work request generates a completion when it finishes. 
The remote QP number and address handle are set, and the wr_id 
field is set to the driver’s work request ID. 

Once the work request is filled in, the driver calls 
ib_post_send(), which actually adds the request to the send 
queue. When the request is completed by the IB hardware, a 
work completion is added to the driver’s CQ and eventually is 
handled by ipoib_ib_completion(). 

InfiniBand can do a lot, and the OpenIB Alliance is only 
getting started writing software to do it all. Now that Linux has 
basic support for IB, we will be implementing more upper- 
level protocols, including SDP and storage protocols. Another 
major area we are tackling is support for direct user-space 
access to IB —the kernel bypass feature we talked about earlier. 
There’s plenty of interesting work to be done on IB, and the 
OpenIB Project is open to everyone, so come join the fun. 

Resources for this article: www.linuxjournal.com/article/ 
8131.8 


Roland Dreier is the maintainer and lead developer for Linux 
InfiniBand drivers through the OpeniB.org Project. Roland received 
his PhD in Mathematics from the University of California at 
Berkeley and has held a variety of positions in academic research 
and high tech. He has been employed by Topspin 
Communications since 2001. 
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Professional performers 
need tools for managing 


'@ photos and creating 
attention-getting 
‘3 promotional materials for 
< print and on-line. Manage 
‘ 


the photo collection with 
gthumb, and lay out posters 
with ease using Scribus. 


BY DAWN DEVINE AND 
MICHAEL BAXTER 


vf f <Laaeeil 


SOMBMAY 2005 WWW.LINUXJOURNAL.COM 


} 


ee 


“Opposite page, clockwise 


om top left: 


The Gypsy look takes a number 
of forms from traditional or 
historically flavored looks to 
more glamorous costumes, 
such as Hannah's stylish bead- 
ed version. Gypsy dancers ring 
the Mediterranean Sea and 
take many forms from the 
stylized Flamenco to the flirty 
belly dances performed in 


Turkey and Egypt. 


Belly dance appears in a vari- 
ety of venues. Dancers assem- 
ble a wardrobe of costumes 
to suit different performance 
needs. Simone wears her 
modern wild animal costume 
to performances where she 
can demonstrate her wit and 


vivacious style. 


Belly dance is most often 
seen in intimate venues. 
However, there are the occa- 
sional gala shows where 
dancers pull out all the stops 
with high-style Egyptian cos- 
tumes, such as the one 
Setareh wore on a large stage 


at a formal dance concert. 


Tempest embodies the look 
and attitude of the new gener- 
ation of dancers who infuse 
traditional belly dance style 
with a modern edge. Her signa- 
ture style and Goth sensibili- 
ties are reflected in her highly 
personal costume style, which 
easily could be worn in a vari- 
ety of venues from nightclubs 
to Renaissance fairs to belly 


dance festivals. 


he San Francisco Bay Area is a hotbed 

of innovative technological develop- 

ment and a crucible for the growth of 

performance arts. One art that thrives 
in the progressive creative environment of the 
region is belly dance. From elegant performers 
draped in bead-encrusted costumes dancing in 
upscale restaurants to the colorful, turban- 
bedecked entertainers at Renaissance festivals 
and street fairs, for more than 100 years belly 
dancers have shimmied their way into every 
strata of contemporary pop culture. 

Middle Eastern dance arrived in the United 
States in the last quarter of the 19th century, 
appearing in cultural exhibits at various 
world’s fairs. Little Egypt was the first dancer 
to garner fame and prestige while performing 
at the 1893 World’s Columbian Exhibition in 
Chicago. Her amazing performances were so 
popular that the entertainment director of the 
fair, impresario Sol Bloom, hyped her in adver- 
tising with his newly coined term, belly dance. 

Although more formally known as Middle 
Eastern dance, the slang term belly dance per- 
sists, encompassing a range of styles from tra- 
ditional ethnic forms, including the Egyptian 
Raks Sharki, Arabic for “dance of the East’, to 
the highly stylized American Tribal Style and 
experimental Raks Gothique techniques. Each 
method is defined by its own unique blend of 
music, costume and movement vocabulary. 

From motion pictures to MTV videos, on 
television sitcoms and even at local ethnic 
restaurants, belly dancers are highly sought- 
after entertainers. Therefore, working belly 
dancers require professional-grade IT tools to 
meet their publicity needs with style and 
panache. Audiences and potential clients have 
become more sophisticated, demanding a high- 
er degree of polish and professionalism. 

Gone are the days when a simple 8" X 10" 
black-and-white glossy photo served as a 
dancer’s complete marketing package. 
Teachers need a way to get the word out 
about classes and performances. Professional 
dancers have to advertise their skills, ser- 
vices and show times. With the right tools, 
dancers can develop their own marketing 
packages. Today’s advertising needs include 
business cards, flyers and Web sites. 


Dancers now use computers for their own 
unique set of needs in marketing, music and 
sometimes also video. Like emergent innova- 
tion in dance in the Bay Area, GNU/Linux and 
other free software truly invite exploration. 
This article is based on our collaborations 
with several Bay Area belly dancers and a digi- 
tal photography work flow that is done entirely 


with GNU/Linux software. We describe two 
example successes using free software tools for 
belly dance marketing applications. In addition, 
we explore some really interesting intersections 
of free software and belly dance, both as an art 
and as a business. The sense of community, as 
in GNU/Linux community, has apparent paral- 
lels with the dance community. To contextual- 
ize this topic further, we talked with several 
professional dancers to get their take on the 
role of technology in their art and in their 
woman-owned businesses. One dancer, 
Michelle Joyce, says, “I really believe that 
my Web site is responsible for my professional 
dance career.” 

Challenges also are present in dance busi- 
ness promotion, where content also needs to 
educate. Amy Luna Manderino says of her 
dance group Shuvani, “Although our talents are 
diverse, they are all connected through 
Shuvani, in which we perform Romani music 
and dance from India, Turkey, Egypt and 
Spain. The biggest challenge is educating the 
public about the Roma (Gypsy) Trail. Many 
people are unaware that Gypsies are an ethnic 
community with a rich cultural heritage... :That’s 
always the challenge when you produce 
something in an artistic medium that hasn’t 
been seen before, you have to educate people 
on the concept.” 


We use free software for everything from pro- 
fessional photography to document generation, 
as we discuss here. We have held several belly 
dance photo shoots at the Creative Camera pro- 
fessional photo studio in Santa Clara, 
California. This photography was conducted 
with a digital work flow that uses 100% free 
software tools. For example, we use The 
GIMP, gthumb and gtkam (see the on-line 
Resources). 

Free software definitely addresses several 
concerns mentioned by belly dancers. For 
example, in talking about Web content devel- 
opment for her business, Tempest says 
“Thumbnailing, sizing and finishing images is 
very time consuming and can be especially 
tedious if the quality of the images is less than 
ideal.” Having spent a lot of time recently 
batch-processing photos with gthumb, we find 
this gPhoto2 utility indispensable for Web and 
print work. 

Now we turn to some creative uses of free 
software in belly dance with two key examples 
of creating belly dance concert posters. Each 
example is a little different. In the first, we 
intentionally wanted to create a new document 
from scratch for an upcoming event and need- 
ed documents suitable for both print and elec- 
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tronic media. In the second example, an 
event already was being promoted on 
the Web, but we needed a print version 
right away, so some novel repurposing 
was done with free software tools. 

To create a new poster for a spring- 
themed belly dance event, we held a photo 
shoot and then edited the studio photos 
with gthumb and The GIMP. These result- 
ing images were combined with other text 
and photo elements to create the poster. 
The poster itself was done on Linux using 
a desktop publishing (DTP) application 
called Scribus. Refer to Clay Dowling’s 
article “Linux as a Publishing Platform” 
on the Linux Journal Web site for more 
details on using Scribus and The GIMP to 
publish on Linux. Although we describe 
only some of the big steps we used with 
The GIMP and Scribus, we were surprised 
at how easy it was to use this powerful 
application to position graphic elements 
precisely and ultimately obtain a profes- 
sional result. 

The first task was to select a suitable 
main photo of Michelle Paloma-Hudkins, 
who was promoting a belly dance event 
held in Sunnyvale, California, in March 
2005. We start with gthumb, as shown in 
Figure |. After looking over several pho- 
tos in the series that we did, we selected 
one. But rather than insert a photo deco- 
rated only with a simple color border, it 
seemed more spring-like to use a fuzzy 
edge to the photo. This was managed by 
using The GIMP’s Script-Fu decor menu 


Eile Edit View [Image Bookmarks Jools Help 
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in Figure 2. The output after edge manip- 
ulation is shown in Figure 3. 

To sell the idea of spring, we wanted 
to composite into the poster a photo of 
daffodils from a separate photo shoot. 
One photo was a field of flowers, over 
which we intended to lay out announce- 
ment copy text. Another photo was a 
bright close-up of a single daffodil. 

The GIMP has powerful layer 
manipulation capabilities, and we need- 
ed only a few of them to accomplish a 
lot. In Figure 4 we added a layer filled 
with all-white color and merged this at 
50% opacity to create the slightly faded 
flower field image. The resulting picture 
is shown in Figure 5. 

To assemble all of the graphical ele- 
ments, we started Scribus. The easiest 
thing to do was to place the text onto the 
letter-size layout view in separate chunks, 
along with graphical items. These could 
be changed and placed using Scribus 
tools. An early version of the poster lay- 
out is shown in Figure 6. We used the 
Scribus editing panel for changing the 
original ASCII text, which imported with 
a default font, into something different 
and more appropriately sized for the 
poster (Figure 7). Other text bodies were 
handled similarly. This work included col- 
orizing the text, changing the line layout 
and other typographic qualities. 

After text placement and coloring, we 
added two additional photos from live 
belly dance events, with Simone and 
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Figure 1. Viewing a photo collection with gthumb to find exactly the right photo. 


Figure 2. Using a Script-Fu menu in The GIMP, we 


created a fuzzy border for the chosen image. 
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Figure 3. The result nicely details a glamorous photo 


of Paloma, with the fuzzy border effect. 
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Figure 4. Using layers in The GIMP, we added a 
white layer to make the background photo appear 
faded. 


S2HMAY 2005 WWW.LINUXJOURNAL.COM 


Figure 5. The faded photo is now ready to use as back- 


ground art for a spring-themed event. 


TPT ORLS ANS NEW COSTUME MUSIC AND OVD 
SELECTION 


Figure 7. Working with copy in the Scribus editing 


Figure 6. Working on the poster in Scribus. The panel. 


background photo has been added, but the text 


chunks still are in the default font. 


Tempest at the bottom. The photograph of the single daffodil was 
placed in the upper left, near the poster title. With the final edits 
complete, the bright and engaging poster is shown in Figure 8. 
Using Scribus, one source document could be used simultaneously 
for both print applications and as an on-line PDF file for Internet 
distribution to the public. 

Our second example solved a problem in belly dance promo- 
tion where pre-existing marketing content had to be used. With 
photos we’d taken at an earlier photo shoot, Paloma created a 
Web poster for a belly dance event held in December 2004, 
called Jingle Bell Raks. We now needed to create a print poster 
plus a separate high-resolution electronic distribution format. Free 
software made it possible to support Paloma’s marketing con- 
cerns where “...obstacles include venues to advertise at low cost. 
Finding the right bulletin boards to post on to be most effective. 
Also finding new avenues of distribution to reach outside the 
Belly Dance community, to draw in the general public.” 

A high-quality print-oriented conversion program called 
HTMLDOC (see Resources) came to the rescue here in an 
unusual application of free software. The robust HTMLDOC 
program can be compiled from source with ease. What is does 
is amazing: it reads in HTML, images and other data and then 
automatically turns that content into PDF files or PostScript as 
output. It also has powerful book-production and indexing fea- 
tures. Our case was pretty simple, we wanted to create a one- 
page print poster and PDF file automatically. It was really easy 
to do, as shown in Figure 9. We simply inserted the name of a 
single HTML file via the HTMLDOC GUI and then configured 
the program to make PDF files. The resulting poster as shown 
with xpdf is depicted in Figure 10. 


Belly Dance and Free Software 

We have only started an adventure in belly dance, using free soft- 
ware primarily for photography and image-oriented marketing 
projects. But more is clearly possible. Recalling Reuven M. 
Lerner’s Linux Journal articles on Web syndication and content 
management systems (CMSes), it would appear that free software 
exists to support solutions for Paloma and Tempest’s comments 
about the complexity involved in a belly dancer trying to create 
and expand her Web presence. The free software tools for Linux 
and audio described in Dave Phillips’ informative articles offer 
exemplary tools for the job of arranging belly dance music. The 
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Figure 8. Final Result in Scribus: Dance into Spring 


article by Olexiy Tykhomyrov and Denys Tonkonog on the Kino 
movie-making application (see December 2004’s Linux Journal) 
points toward free software for editing digital video. Hence, it too 
is a potential tool for dancers to have for live belly dance events. 
And still more is possible. At the time of this writing, we are 
preparing to do photography at a large annual belly dance event 
called Rakkasah West, which “‘is the largest Middle Eastern Folk 
Festival and Fantasy Bazaar in the world”. We expect to create 
10,000—12,000 high-resolution digital photos covering this event 
over three days. We plan to assemble photo collections automati- 
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Figure 9. HTMLDOC GUI menu box—adding one 
filename. 
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Figure 10. HTMLDOC rules! Jingle Bell Raks, as seen 
with xpdf. 


The first and only magazine for the new Linux user. 
our digital subscription is absolutely free! 


cally using GNU/Linux tools such as 
gPhoto2 and the open-source language 
Python. These tools certainly will be used 
for actual photo file management. 
However, we also expect to use the 
Python scripting capability of Scribus to 
support automatic generation of CD-ROM 
disk labels and nearly full custom photo 
books, indexed by belly dancer and/or 
troupe. Stay connected with Linux Journal 
for more details about this in the future. 

Finally, Linux as a community-devel- 
oped project has definite resonance with 
the Belly Dance community. Linux is a 
gift culture, where numerous program- 
mers and maintainers contribute code for 
all to have. Belly dancers communicate 
and network with one another and with 
clients using the Internet, which is a large 
community substantially woven together 
with an infrastructure of free software and 
open standards. Advocacy for freedom 
and social consciousness ring no less 
true in belly dance. As Luna explains, her 
troupe Shuvani “donates several perfor- 
mances a year to the Voice of Roma, an 
advocacy group providing support for the 
Gypsies in war-torn Kosovo. For exam- 
ple, through their program ‘The Threads 
That Connect Us’ they provide material 
support for Romani women in the UN 
camps to embroider products that are then 
sold here in the US.” 

Resources for this article: 
www.linuxjournal.com/article/8133.4 


Dawn Devine aka Davina is 
a freelance writer and 
author of more than nine 
titles on Middle Eastern belly 
dance costume design and construction. 
She currently is the president of SF/BA 
MECDA, the San Francisco/Bay Area Middle 
Eastern Dance Association, an organization 
that promotes dancers, creates perfor- 
mance opportunities and strives to educate 
the public. Davina teaches belly dance in 
the greater San Jose area and in work- 
shops nationwide. 


Michael Baxter is technical 
editor at Linux Journal and 
has been working in com- 
puter technology since he 
was nine, imprinted by a 
uly 4, 1969, viewing of 2007: A Space 
Odyssey. He is also an experienced 
photographer. Michael was more 
recently imprinted by the Belly Dance 
Vortex, apparently also on July 4, this 
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Is the Man getting you down? The Man 
Says you cant. The Man says not today, 
maybe tomorrow. The Man wants to follow 
the path well trod. But the Man knows 
jack. The Penguin, on the other 
hand, knows Linux. Or, at least, we at 
Penguin Computing®, know what you want 
from it. Freedom to do your own thinking. To 
implement things the way you want to, not 
the way the software wants you to. The 
capability to find a better way - without 
crashing every five minutes. Best-in-class 
Scyld-driven clusters. ore power-to-the- 
pound BladeRunner™ — cluster-in-a-box. 
Powerful, scalable servers. And the sort of 
support you'd want for your children. Or, to 
be precise, your company's core applications. 
Your business’ critical project. Or your 
industry changing ideas. So get back up. 
Stick it to the Man. Love what you do. © 
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FEATURE DEVELOPMENT 


Fd.o: Building 


the 


Desktop in the Right 


Places 


Don’t be fooled by chatter about desktop wars. 
Applications and desktop environments are cooper- 
ating behind the scenes and using reality-tested 
standards to make everyone's software work and 
play well together. BY MARCO FIORETTI 


nd users care only about applications that perform the 

desired tasks. They come to Linux to have the free- 

dom to pick up these applications one by one. To 

them, integrated desktop means the freedom to 
choose any mix of programs and the assurance that they work 
together. A monolithic desktop environment can limit pro- 
grammers as well. Making sure that your code cooperates 
with existing applications is essential to good software, if not 
the main characteristic that makes it useful. Being forced to 
use one or two development toolchains to achieve this result 
makes much less sense. 

A sore spot of the GNU/Linux desktop used to be 
XFree86—development progressed too slowly and perfor- 
mance was not satisfying. Many tools, from fontconfig to 
zlib, were duplicated to avoid external dependencies. If one 
driver changed, the whole package had to be released again. 
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Figure 1. Integration the Freedesktop.org way: servers, libraries and communica- 
tion protocols that all applications can use, no matter which desktop environ- 


ment they were born in. 


On top of all this, the XFree86 license changed last year to 
one that appeared to prohibit GPL programs from linking to 
any of the new code. Several distributions immediately react- 
ed by not shipping the new version with the license problem. 

Freedesktop.org (Fd.o) was formed in March 2000 to 
help developers solve the technical problems outlined 
above. The goal of this project is to create a base platform 
upon which every desktop can build. The method is to 
define independent specifications, complete with working 
code where needed. Formal standardization is left to other 
bodies. Following these specs should guarantee real interop- 
erability among applications as early as possible during 
their development, ideally before it starts. All software will 
be placed under LGPL or X-style licenses. Fd.o hosts a lot 
of neat projects, but this article introduces the main tools 
constituting the so-called Fd.o platform. 


Xlibs 

The X Window System is a network transparent protocol for 
graphical display. GUI programs use X to give drawing com- 
mands to the software, called the X server, which actually con- 
trols the screen. Until last year, servers and libraries usually 
were found in monolithic packages. Fd.o broke that bundle into 
parts, however, which now can be developed and packaged 
separately. The main advantage of this is that programmers and 
Linux distributions can mix and customize, at will, different 
implementations of each piece. 

Other X improvements include the removal of all in-tree 
dependencies and the use of autotools as the build system and 
of the iconv library for all conversions between Unicode and 
other encodings. The libraries wrapping the X protocol are 
called Xlibs. Fd.o released its first version of them in January 
2004. They adhere to the X standard, so they can be used with 
any X server. 

Even after several optimizations, the size of Xlibs may 
create problems on low-end platforms. Furthermore, some 
Xlibs requests block until they receive a reply, even when it 
is not really necessary. This can interfere with some latency 
reduction features in the 2.6 kernels. Xlibs also do a lot to 


S56HMAY 2005 WWW.LINUXJOURNAL.COM 


hide the protocol, through caching, layering and similar 
efforts; these efforts are an advantage in many cases, an 
overhead in others. Last but not least, support for the 
creation of X extensions is limited. 

The Fd.o proposal to solve these problems is the X C 
Binding, XCB for short. This second library can be a base for 
new toolkits and lightweight emulation of parts of the Xlibs 
API. XCB is designed to work transparently with POSIX 
thread or single-thread programs. The code maintains binary 
compatibility with Xlibs extensions and applications and might 
not require recompilation of extensions. This makes slow, grad- 
ual migration from Xlibs to XCB easier, without losing func- 
tionality. The next step along this path, the Xlibs Compatibility 
Layer (XCL), should allow existing applications built on Xlibs 
to take advantage of XCB. 


X Servers 

Fd.o hosts two alternatives to XFree86. The first one started as 
a fork of the XFree86 4.4-RC2 code before the license change. 
This server is called X.org and is used in the same way as 
XFree86. The other alternative, called Xserver, is the most 
promising option in the long run. It is the fork of Kdrive, 
which started years ago as a lightweight, heavily modified ver- 
sion of XFree86. Kdrive is small, partly because it has less 
code duplication with the kernel. Size reduction also came 
about by removing some obsolete features and driver modules. 
The much smaller code size makes it easier to start from 
Kdrive to build a whole new server. 

The version of Xserver available today still is used mainly 
as a test bed for new extensions and features, such as trans- 
parency or OpenGL acceleration. Memory usage is minimized 
by performing a lot of calculations at runtime instead of always 
keeping the results in memory. 

The goal of Xserver is to reduce slowness as well as the 
other phenomena that make looking at a screen unpleasant, 
including flickers. A new X extension, called Composite, 
allows double buffering of the entire screen. Of course, no 
server can be smarter than its dumbest client, but the lighter 
architecture should make it easier to find and fix slow code, 
wherever it is. The new server makes no impact at the toolkit 
level, except when the programmer chooses to take direct 
advantage of the new extensions. 


Cairo 

Vector graphics create an image by drawing more or less com- 
plex lines and filling in the resulting areas with colors. The 
corresponding files are small in size and can be scaled at any 
resolution without losses. Consequently, this technique is inter- 
esting for users who want to be sure that what they print is 
what they see. Unfortunately, X knows how to manage screen 
pixmaps of text, rectangles and such, but it simply ignores 
printing or vector graphics. This is one of the reasons why we 
still do not have 100% consistency between screen, paper and 
saved files. 

The Fd.o solution is Cairo, “a new 2D vector graphics 
library with cross-device output support”. In plain English, 
this means the result is the same on all output media. 
Externally, Cairo provides user-level APIs similar to the 
PDF 1.4 imaging model. 

Through different back ends, Cairo can support different 


output devices. The first one is screens, through either 
Xlibs or XCB, and in-memory image buffers, which then 
can be saved to a file or passed to other applications. 
PostScript and PNG output already is possible, and PDF is 
planned. OpenGL accelerated output also will be available 
through a back end called Glitz. In addition, it will be pos- 
sible to use Glitz as a standalone layer above OpenGL. 
Cairo language bindings exist for C++, Java, Python, Ruby 
and GTK+. 

The developers of OpenOffice.org also are planning to 
use Cairo after version 2.0 of the OOo suite is released, 
possibly even as a separately downloadable graphics plugin. 
Still being in active development and minus a completely 
stable API, Cairo is not included yet in official Fd.o 
platform releases. 


D-BUS 

D-BUS is a binary protocol for Inter Process Communication 
(IPC) among the applications of one desktop session or 
between that session and the operating system. The second 
case corresponds to dynamic interactions with the user 
whenever new hardware or software is added to the com- 
puter. The internals of D-BUS were discussed by Robert 
Love in “Get on the D-BUS” in the February 2005 issue of 
Linux Journal. As far as the desktop end user is concerned, 
D-BUS should provide at least the same level of service 
currently available in both GNOME and KDE. To achieve 
this, both a system demon called message bus and a per- 
user, per-session demon are available. It also is possible 
for any two programs to communicate directly by using 
D-BUS to maximize performance. For the same reason, 
because the programs using the same D-BUS almost always 
live inside the same host, a binary format is used instead of 
plain XML. 

The message bus demon is an executable acting like a 
router. By passing messages instead of byte streams among 
applications, the demon makes their services available to 
the desktop. Normally there are multiple independent 
instances of this demon on each computer. One would be 
used for system-level communications, with heavy security 
restrictions on what messages it can accept. The others 
would be created for each user session, to serve applications 
inside it. The system-wide instance of D-BUS can become a 
security hole: services running as root must be able to 
exchange information and events with user applications. For 
this reason, it is designed with limited privileges and runs in 
a chroot jail. D-BUS-specific security guidelines can be 
found on the Fd.o Web site (see the on-line Resources). 

Most programmers do not need to talk the D-BUS 
protocol directly. There are wrapper libraries to use it in any 
desired framework or language. In this way, everybody is 
able to maintain his or her preferred environment rather than 
learning or switching to a new one specifically for IPC. End 
users, again, receive gains in interoperability: KDE, 
GNOME and Mono programs will be able to talk to one 
another, regardless of toolkit. As with Cairo, the first ver- 
sions of the Fd.o platform don’t include D-BUS, because 
its API is not stabilized yet. But, the developers consider 
D-BUS to be a cornerstone of future releases. D-BUS also 
is meant to replace DCOP in KDE 4. 
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Only time will tell if the first implementations of Fd.o are good 
enough and if the related specifications are valid. In this context, 
valid means something complete that can be re-implemented 
from scratch with totally new code, if one feels like doing so. I 
am convinced, however, that the approach is valid and has more 
potential than any other “complete desktop” already existing. 

The two most frequent complaints I’ve read so far are 1) the 
current desktops would lose their identities, becoming “only user- 
interface stuff’ and 2) Fd.o is not standards, simply other imple- 
mentations. My personal response to the first concern is, even if it 
happened, would it really be a problem? Most end users wouldn’t 
even realize it, nor would they be concerned at all. They most 
likely would note the improvements I mentioned at the beginning 
and be done with it. Making sure that all applications can cooper- 
ate, no matter how they were developed, also would make Linux 
much more acceptable as a corporate desktop, shutting up a whole 
category of arguments in favor of proprietary solutions. 

If protocols and formats stop being tied to specific imple- 
mentations or toolkits, they can be shared across multiple 
“desktop environments”. Code stability and lightness would 
directly benefit from this, as would innovation. Completely 
new programs could interact immediately with existing ones. I 
therefore hope that this trend is generalized and that more 
application-independent standards are submitted to Fd.o, 
covering file formats, sound schemes, color and tasks settings. 
Imagine one mail configuration file that could be used by any 
e-mail client, from Evolution to mutt, or one bookmark file 
usable by every browser from Mozilla to Lynx. 

As far as the second objection goes—Fd.o is not standards, 
simply other implementations —that’s exactly how free software 
and RFCs work. As long as specifications are written alongside 
the code, concepts can be validated in the field as soon as possi- 
ble. For the record, this same thing currently is happening with 
OOo and the OASIS Office standard (see L/, April 2004). The 
file format started and matured inside StarOffice and OOo, but 
now it has a life of its own. The committee currently includes 
representatives from KOffice, and any future office suite can use 
it as its native format, starting only from the specification. 

Some traps do exist along this path, but as far as I can tell, 
the developers are aware of them and determined to avoid 
them. The first risk is to develop standards that for one reason 
or another work well only on Linux, leaving out the other 
UNIXes. The other is resource usage: all the magic described 
here would look much less attractive if it required doubling the 
RAM to run smoothly. As far as we know today, however, this 
seems to be an unlikely possibility. In any case, this is the right 
moment to join this effort. Happy hacking! 


Many thanks to Waldo Bastian, Keith Packard, Daniel Stone 
and Sander Vesik for all their explanations. 

Resources for this article: www.linuxjournal.com/article/ 
8135.8 


Marco Fioretti is a hardware systems engineer 
interested in free software both as an EDA platform 
and, as the current leader of the RULE Project, as an 
efficient desktop. Marco lives with his family in 
Rome, Italy. 
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InfiniCon Software Release 3.0 


Scalable Family of 
Enterprise Class 


Server Enablement 


« Host Channel 
Adapters (HCA) 
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Switches 


Virtual I/O 


InfiniCon 


Software Architecture 


InfiniCon Systems released version 3.0 of its architecture for the InfiniBand-based hardware and 
software platform. The platform includes all host software, switch embedded software and 
InfiniCon’s FastFabric tools, opening the architecture to enable the use of third-party tools and 
applications. The 3.0 software can be incorporated into server architectures that embed InfiniBand 
on the motherboard—either on servers or on blade platforms —eliminating the need for a Host 
Channel Adapter (HCA) to access the InfiniBand network. Release 3.0 also includes support for 
Linux 2.6, scalability to more than 1,000 node fabrics, Oracle certification, certification of addi- 
tional commercial MPI packages, additional fabric reliability features, performance enhancements 
for InfiniBand and Ethernet protocols and additions to FastFabric tools for management needs. 


CONTACT Infinicon Systems, 680 American Avenue, Suite 100, King of Prussia, Pennsylvania 


19406, 610-233-4747, www.infinicon.com. 


NAG Fortran Library Mark 21 
ST 
Mark 21 of the NAG Fortran Library 
includes more than 300 new functions, tak- 
ing the total to more than 1,500 functions. 
New functions include a complete chapter 
covering mesh generation that incorporates 
routines for generating 2-D meshes with a 
number of associated utility routines. 
Extensions have been included for zeros of 
polynomials, partial differential equations, 
eigenvalue problems (LAPACK) and sparse 
linear algebra. The random number genera- 
tion (GO5) function also has been expanded 
to include a new random number generator, 
the generation of univariate GARCH, 
asymmetric GARCH and EGARCH pro- 
cesses, quasi-random number generators 
and generators for further distributors. The 
NAG Fortran Library is available for 
implementations ranging from PCs to 
supercomputers. Not restricted to a single 
environment, algorithms can be called from 
other languages including C++. 

CONTACT The Numerical Algorithms Group 


Ltd., Wilkinson House, Jordan Hill Road, Oxford 
OX2 8DR, UK, Www.nag.com. 


IBM eServer Application Server 
Advantage for Linux 
(es 
The IBM eServer Application Server 
Advantage for Linux, also known as 
Chiphopper, combines support and testing tools 
that enable ISVs to develop cross-platform 
Linux products. Chiphopper is a no-charge 
offering that can be used to take existing 
Linux-on-x86 (Intel or AMD) applications and 
test, port and support those applications across 
all IBM systems. Chiphopper supports applica- 
tions written directly to the operating system or 
written to middleware. For applications written 
directly to the OS, Chiphopper bases portability 
on the Linux Standard Base (LSB) specifica- 
tion. In addition, Chiphopper supports LSB 
applications that use open extensions including 
OpenLDAP, OpenSSL, Kerberos, PHP, Perl 
and Python. For applications using middleware, 
Chiphopper supports IBM’s WebSphere, DB2 
and Rational, providing Java, JZ2EE, Web ser- 
vices and services-oriented architecture open 
standards-based support. 

CONTACT [BM Corporation, 1133 


Westchester Avenue, White Plains, New York 
10604, www-1.ibm.com/linux. 


Platform for Network Equipment, 
Linux Edition 
SSS 
Wind River Systems announced the availability 
of Platform for Network Equipment (NE), 
Linux Edition. Platform NE supports the 
Carrier Grade Linux 2.0 specification and 
Linux 2.6 kernel technology for device soft- 
ware development. It also enables ATCA-based 
commercial off-the-shelf (COTS) solutions for 
control and management applications in carrier 
grade network equipment. In addition, Platform 
NE provides access to a wide range of third- 
party runtime and tool vendors, as well as the 
Eclipse-based Wind River Workbench IDE to 
support the entire development cycle. 
CONTACT Wind River Systems, 500 Wind 


River Way, Alameda, California 94501, 800-545- 
9463, windriver.com. 


CM4000 Console Server 


A new family of console servers is available 
from Opengear, Inc. The CM4000 serial con- 
sole server comes in 8-, 16- and 48-port ver- 
sions that enable control of serial consoles on 
Windows, Sun and Linux servers. Opengear’s 
CM4000 products also can monitor and con- 
trol network appliances, including routers, 
gateways, PBXes and power switches. 
Remote site servers can be accessed in-band 
through the enterprise TCP-IP network or 
directly through a dial-up modem port, both 
using up to 128-bit AES encryption. The 
Opengear CM4000 console server also pro- 
vides filtering and access logging facilities, 
enabling console logs to be archived off-line. 
The CM4000s are built with the okvm open- 
source console and KVM management soft- 
ware, as well as open-source KVM hard- 
ware. Both Web browser and command-line 
management options are available. 
CONTACT Opengear, Inc., 7984 South 


Welby Park #101, West Jordan, Utah 84088, 
801-282-1387, WWWw.opengear.com.& 


Please send information about releases of Linux-related 
products to Heather Mead at newproducts@ssc.com or 
New Products c/o Linux Journal, PO Box 55549, Seattle, 
WA 98155-0549. Submissions are edited for length 


and content. 
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RouterBOARD 230 
No feature left behind ! 


Integrated router with various interfaces. 
Use as an AP on a tower with up to 
500ft PoE. Includes IDE/CF, miniPCl, 
USB, PCMCIA, UART, PCI, GPIO, 
LCD controller, Linux SDK, and more. 
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Paid for 20GB, Getting 2 
a 
I’m trying to set up Linux on a slightly older machine that has a 20GB 
hard drive. I’m trying to install Fedora on it, but the installation pro- 
gram and Disk Druid recognize it only as a 2GB drive. The same is 
true of QTParted running off of a boot CD containing Mepis Linux. A 
Microsoft Windows XP install CD recognizes the size of the CD just 
fine. Both Linux programs have a problem with the drive whether it is 
unpartitioned or has an NTFS partition on it. I can’t put any Linux 
partition on it larger than 2GB. Any idea what the problem is? 


Aaron Roberts, Alr8@georgetown.edu 


It’s important to back up any data you want to keep from this drive, 
even from non-Linux partitions, before you try any of the suggestions 
here. Changing partition tables can be hazardous to your data. You 
can get some background on this problem from the Large Disk 
HOWTO by Andries Brouwer at www.t\dp.org/HOWTO/ 
Large-Disk-HOWTO.html. 


First of all, if the drive is original equipment for the machine, try 
resetting the BIOS to factory defaults. 


Don Marti, dmarti@ssc.com 


Did you partition the drive with some proprietary disk partitioner? If 
so, you may want to boot from a bootable Linux CD and wipe the boot 
sector. If your drive is /dev/hda, as it usually is, use this command: 


dd if=/dev/zero of=/dev/hda bs=512 count=1 


Another thing to try is to upgrade the BIOS on that machine. 


Christopher Wingert, cwingert@qualcomm.com 


You can try to force the issue at boot time by supplying a parameter 
such as: 


hda=<cyls>,<heads>,<sectors> 


You usually can obtain these values by looking up the drive’s model 
number on the manufacturer’s Web site. Some BIOSes also have a 
variety of drive reporting mechanisms, such as NORMAL, LBA and 
LARGE. Try cycling between these and see what you get. 


Chad Robinson, chad@lucubration.com 


Making a Boot Floppy 
a 
I need information on how to create a floppy that will allow me to 
load Linux from a CD-ROM. Can you give me some information 
about doing this so I can run two OSes (dual boot) on my 

small system? 


Everett E. Stone, 103726.2236@compuserve.com 


If it’s a newer machine, you can boot from CD-ROM. Try the Knoppix 
distribution. 


Christopher Wingert, cwingert@qualcomm.com 


It’s not clear from your question whether your problem is that your 
CD doesn't boot and you need a bootable floppy to kick start the dis- 
tribution or if you want to insert or remove the floppy to control 
whether the system runs from the CD. 


If the former, look into Slackware, a popular and well-maintained dis- 
tribution that still supports bootable floppy options for the load and 
emergency recovery tools. Otherwise, consider a distribution such as 
Knoppix, which allows you to run entirely from the CD without load- 
ing Linux on your hard drive. This is obviously a much slower option, 
but it eliminates the need to partition your drive, which is good for 
taking Linux for a test drive or working from a computer that is not 
your own. 


Chad Robinson, chad@lucubration.com 


You don’t need a boot floppy to set up a dual-boot system. Most of the 
common distributions will configure dual-boot for you in the installer. 
See www.linuxjournal.com/article/4619 to help you select a 
distribution. 


Don Marti, dmarti@ssc.com 
Deleting Millions of Files 
ey | 


On my SUSE 9.1 system that is a server for more than 40 Windows 
machines, my directory /var/lib/dhcp/db contains nearly 1.6 million 
files with names of the form dhcpd.leases.AAgxyz and so on. If I try 
to remove them with a single command, such as: 


rm -f /var/lib/dhcp/db/dhcpd. leases. * 


the process fails with a command buffer too long message. My 
workaround has been to remove them piecewise, as follows: 


for i in {a-z,A-Z} 


do 
for j in {a-z,A-Z} 
do 
rm -f /var/lib/dhcp/db/dhcpd.leases.$i$j* 
done 
done 


Is there a better way to get rid of such large numbers of files? Any 
idea why the DCHP demon is running away like this? 


Larry W. Finger, Larry.Finger@lwfinger.net 


Determining why the DHCP demon is assigning so many leases would 
require investigating its log files. It’s possible that NAK messages are 
not making it through, MAC addresses are being reassigned or other 
shenanigans are being perpetrated by the clients. 


However, there are certainly easier ways to remove the files en masse. 
If your demon isn’t running, you can simply remove and re-create the 
directory itself, as in: 


rm -f /var/lib/dhcp/db 
mkdir /var/lib/dhcp/db 
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Be sure you restore any permissions and ownership settings the direc- 
tory originally held. If this isn’t to your taste, investigate the find(1) 
command, which can execute commands on files matching the spec 
you provide, such as: 


find /var/lib/dhcp/db -exec rm {} \; 
Note that the semicolon is required—it tells find where the exec com- 


mand ends—but that most shells treat it as a special character. The 
back slash prevents this. 


Chad Robinson, chad@lucubration.com 


You can also use the xargs command, which feeds an arbitrarily long 
list of arguments to a command: 


ls /var/lib/dhcp/db/dhcpd.leases.* | xargs rm 


Another sometimes-useful technique is to build up a list of commands 
and preview it with 1s to see if you got them right: 


ls | awk ‘{print "rm " $1}' | less 
Then, replace the less with sh to do the commands: 


ls | awk '{print "rm " $1}' | sh 


Don Marti, dmarti@ssc.com 


Server for Home Network? 
| 
I am new to Linux, and I would like to know if there is Linux software 
that would let me set up a file server for my home network that can be 
monitored and maintained remotely. I have six-plus computers on my 
local area network running Windows, and I have a spare computer that 
I would like to set up as a file server for the other computers for stor- 
age of MP3s and data. I would like to have this computer set up so 
that I can connect to it from any of the other computers to do mainte- 
nance and updates. I would like some kind of access control for the 
computers that can access this file server. Any suggestions or links to 
other sources regarding this project would be a great help. 


Dan, dpinko@shaw.ca 


Try Samba; more than likely, it already is on your machine. SMB is the 
native file-sharing protocol for Windows, so it is already there too. 


Christopher Wingert, cwingert@qualcomm.com 


Any number of options can allow you to do this. Two good starting 
points are Samba, a Windows-compatible file and printer sharing ser- 
vice, and Webmin, a Web-based administration tool. Webmin includes 
modules for configuring and administering Samba and provides its 
own Web server, so you need not install Apache, unless you want to. 
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If you must do something Webmin doesn’t support, you still can man- 
age the system via traditional command-line tools. Simply enable your 
distribution’s SSH services on the Linux box, and use an SSH terminal 
from one of the clients to connect to it. 


Chad Robinson, chad@lucubration.com 


A good SSH client to install on Microsoft systems is putty: 
www.chiark.greenend.org.uk/~sgtatham/putty. 


Don Marti, dmarti@ssc.com 


make or gmake? 
ea 
I installed Ubuntu on my laptop, which does a fairly skinny install. It 
has make, but the project I am working on needs gmake. I need to 
install gmake and compile C++ code on a Linux box; I am compiling 
nachose-4.02. I did a search in dselect and could not find gmake. I 
went to the GNU site, and it does not specify gmake, only make. Are 
they the same? 


Seamus Rhys, seamusrhys@msn.com 


Here is a page specifically about the gmake package for Ubuntu. 
Download links are provided: higgs.djpig.de/ubuntu/www/ 
hoary/devel/make. 


Chad Robinson, chad@lucubration.com 


Yes, make and gmake are the same program on Linux systems. For 
historical reasons, some projects specify gmake so that they can be 
sure to use the full-featured GNU version of make instead of an earli- 
er, limited implementation. 


An easy way to add gmake to your system, so you don't have to 
change the project or install software, is simply to make a symlink 
in /usr/local/bin: 


cd /usr/local/bin \ 
&& sudo In -s_ ../../bin/make gmake 


Don Marti, dmarti@ssc.com 


Thumbprint Readers? 
ee 
I was in a large discount store the other day, and I saw a rack of 
thumbprint readers that tout things like “log on to your computer and 
Web sites with the touch of a finger, just place your finger on the 
receiver whenever a password or username is required.” A device like 
this would allow a user or a system administrator to use very large 
complex passwords for system access. 


My office uses Red Hat and another OS; I use Debian. So far, I have 
not found a product or a HOWTO that recommends a product for use 
on a Linux machine. Is there a product you can recommend that would 
work on a Linux system? 


Tony Freeman, tony.freeman@insightbb.com 


This is possible under Linux, but you may need to roll your own solu- 


tion using a variety of available packages. As far as I know, no distri- 
bution comes with support for this enabled out of the box yet, and cer- 
tainly the software included with the product will be for Windows. To 
get started, take a look at Pluggable Authentication Modules (PAM). 
Basically, this is a subsystem that acts as an intermediary between 
applications, such as your login manager, and authentication sources, 
such as passwords, certificates and, yes, fingerprint scanners. You may 
have to configure some system files yourself, but it’s possible to make 
this work using software available today. 


Chad Robinson, chad@lucubration.com 


Getting Sound Working on Fedora 
ee ey 
Being a bit of a newbie to Linux —I can install packages but 
recompiling the kernel might be beyond me—I am looking for 
some help getting audio support added to my PC. I am using Red 
Hat FC2 installed on a Compaq Deskpro P550, which has an 
onboard sound chip ESS Audiodrive 1869. Any help or suggestions 
would be greatly appreciated. 


Tom Corcoran, tomc@meridianp2p.com 


Your sound card is supported by the ALSA Project, and that’s where 
you should start. It doesn’t require a kernel recompile. Although 
ALSA drivers are included in the kernel, the ALSA Project itself 
provides external, loadable modules that often are more up to date 
than those in any kernel package you may have installed. Visit 
www.alsa-project.org to get started. The site provides down- 
loadable packages and documentation for installing them. 


Chad Robinson, chad@lucubration.com 


You shouldn't have to add drivers to a relatively new distribution. 
Run the sndconfig utility to detect and test your audio hardware, 

then make sure the volume is turned up using the mixer applet in 

the GNOME panel. 


Don Marti, dmarti@ssc.com 


Tracking Down malloc Errors 
SS SS 
I disagree with the BTS advice “segfault when allocating memory” in 
the February 2005 issue. I bet ya a nickel that the culprit in this case is 
the previous malloc followed by writing outside the array boundary. 
One tool to figure this out is “electric fence”, which is open source. 
There are also good proprietary tools to do this. Maybe you can 
review a few of them? 


Jorg Kewisch, jorg@bnl.gova 


Many on-line help resources are available on the Linux Journal Web pages. Sunsite 
mirror sites, FAQs and HOWTOs can all be found at www.linuxjournal.com. 


Answers published in Best of Technical Support are provided by a team of Linux 
experts. If you would like to submit a question for consideration for 

use in this column, please fill out the Web form at www.linuxjournal.com/ 
\j-issues/techsup.html or send e-mail with the subject line “BTS” to bts@ssc.com. 


Please be sure to include your distribution, kernel version, any details that seem 
relevant and a full description of the problem. 
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Cyclades AlterPath 
Manager E200 


REVIEWED BY MATTHEW HOSKINS 


yclades makes a number of excellent 

products aimed at easing system 

administration and data center man- 

agement. These include console (seri- 
al and KVM) and remote power management. 
In the past, these devices were all islands unto 
themselves needing individual management. 
Authentication and authorization could be 
unified easily with a directory service, such as 
LDAP, Radius, NIS or Kerberos, but the con- 
figuration of the devices would need to be 
managed individually and manually. 

In modern complex data center environ- 
ments, infrastructure must be flexible to keep up 
with changing circumstances and requirements. 
A central management system was needed. 


Some of Cyclades’ most popular products 
are the TS and ACS serial console manage- 
ment devices. These thin 1U-rackmount 
enclosures allow secure remote console 
access to servers and serial-port-equipped 
appliances, such as filers, routers, firewalls, 
SAN arrays and switches. The AlterPath 
Manager (APM) is designed to sit above 
multiple ACS and TS units and centralize 
configuration and authentication. 


The APM unit sports an 850MHz Intel 
Celeron CPU, 256MB RAM, 40GB disk, two 
10/100 Ethernet ports and two serial ports, 
one for the APM’s console and another for an 
optional dial-in modem. Not much horsepow- 
er by today’s standards, but more than enough 
for what the APM needs to do. This is all 
basically off-the-shelf hardware; the APM is 
primarily a software product that includes 
integrated hardware. 

The hardware is packaged nicely in a 
sturdy 1U-rack enclosure. Indicators are on 
the front with all connectors on the rear. 

The APM runs a small customized Linux 
OS. Cyclades’ management application is 
Web-based and runs under the Tomcat Java 
servlet engine. The servlet engine serves on 
both HTTP and HTTPS (encrypted) ports, and 
Cyclades provides simple instructions for dis- 
abling the non-encrypted port. All configura- 
tion and control of the managed devices is 
done over encrypted SSH connections. 

The APM uses password-style authentica- 
tion to the managed devices using expect. I 
would have liked to see public key authentica- 
tion, but passwords are easier to understand 
for most people and at least it’s still all 


SERIAL CONSOLES IN THE DATA CENTER 


: the console is the video monitor and a directly attached keyboard. 
This is where kernel and boot messages go as a system is coming up. The console 
eventually becomes a login terminal, either graphical or text mode, after a system is 
fully booted. On servers, however, graphical consoles are not needed and are often 
unwanted. Consoles on servers usually are used only to recover an ailing system or 
install a new OS. In these cases, a serial port is used as the console. This provides a very 
simple device for the kernel to deliver messages without the complexity or wasted CPU 
cycles of a graphics device. Serial consoles have the added benefit of remote access 
when used in conjunction with a console server such as the Cyclades ACS series 
products. These devices literally allow you to use SSH (secure shell) to connect directly 
to a server’s console and manage it from anywhere. Remote access to a server console 
allows the system administrator to recover and even re-install the OS from anywhere, 


if the server is running Linux or UNIX. 
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encrypted. The root passwords for all 
managed devices are stored ina MySQL 
database running on the APM. This 
database allows connections only from 
localhost and stores these passwords in 
clear text. It also appears that the 
MySQL databases on all APM devices 
use the same hard-coded database root 
password. All the database passwords 
can be found in the world-readable con- 
figuration file /var/apm/apm.properties. 
It needs to be assumed that any user 
with shell access to the APM will have 
complete control of the managed 
devices because of the unfettered access 
to the root passwords. This security situ- 
ation should be significantly tightened 
up by Cyclades’ developers. 


The APM can control any Cyclades TS 
or ACS console server accessible on 
your network. All management, as pre- 
viously stated, is done over encrypted 
SSH connections. One installation sce- 
nario suggested in the APM documenta- 
tion is to create a private network using 
the second network port. In this situa- 
tion, you can allow the APM to serve 
DHCP and automatically manage the 
network numbering of the managed 
devices. This also utilizes the APM as a 
firewall between your public network 
and your management network. 


Cyclades also provided me with an 
ACS16 for this review. This device is a 
small Flash-based Linux box with 16 
serial ports that can be used to connect 
to server consoles, modems, terminals 
or any other serial devices. Each man- 
aged device must have basic network- 
ing configuration and a root password 
set. This is done in exactly the same 
way as the APM—using an included 
serial cable and an interactive wizard. If 
you are planning on using the private 
network approach mentioned above, 
simply set the device to use DHCP and 
set the root password. 


The initial configuration of the APM is 
done using a serial cable to a PC or ter- 
minal. The APM presents you with a 
simple configuration utility to get basic 
networking information, then directs 
you to continue with a Web browser. 
The APM is now ready to configure 
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MREVIEW HARDWARE gee 


and manage devices. Log in to the APM’s Web interface and 
click on Devices, then add. Enter a device name (for example, 
ACS001), device type, model number, network address and 
root password. The APM then automatically creates entries for 
each port on the device named similarly to ACSO01_00, 
ACS001_01 and so on. These names uniquely and globally 
represent every port on the managed devices. They can be 
renamed later to something a little more meaningful. 


Admin Username: foal 
IP Address: 
Default Gateway: 
Base Port: 500" 


Auto Uptoad: 
E PPP Phone-{” 
PPP Local IP: 


Reset | Save | Save / Copate Comotes Save / Asta Oncover 


Figure 1. Console Server Device Management 


Next, customize one or more Profiles (Figure 1) to describe 
the various types of devices you intend to connect to the ACS 
or TS units that this APM will control. The default profile is 
appropriate for most devices with serial consoles that operate 
at 9,600 baud, 8 bits, no parity and 1 stop bit. 

The next step is to do per-console configuration. Then you’re 
ready to connect to the connected devices. This can be done in 
one of two ways. From the APM’s Web interface you simply can 
click on the console name under consoles, and the APM launches 
a Java-based terminal emulator. Alternatively, you can connect 
directly to a console from any SSH client. If the APM’s hostname 
is myapm, your user name is admin and the console name is 
myserver, you would issue the following command: 


ssh admin:myserver@myapm 


The username:consolename syntax is a Cyclades modification 
of the SSH server running on the APM. It allows very easy 
access to the console ports. This is my absolute favorite feature. 


User Management 

Up to this point, we have been doing everything as the admin 
user created during the initial configuration. The APM gives 
you the ability to create users and delegate control of ports. 
This is useful in a large data center with a complex manage- 
ment structure. 


Event Monitoring, Alarms and Logging 
The APM has the ability to monitor ports and raise alarms 
based on what it sees. This is done using pattern expressions. 
Events are classified as Info, Warning or Severe and are sent 
by e-mail to users listed in the notify list under each console 
port configuration. 

Every console port has a data buffer and log associated 
with it. These logs can be viewed with the Web interface. 


Firmware Upgrades 

Keeping up to date with software and firmware versions is 
always a task at the forefront of a system administrator’s prior- 
ities. The APM simplifies this by automating firmware updates 
of managed devices. Updated firmware packages are down- 
loaded from Cyclades’ Web site then installed on the APM. 
From there they can be pushed to the managed devices. 


Backup and Restore 

The APM provides a simple command-line tool for backup 
and restore. This provides an easy-to-use way to back up all 
configuration, logs and the APM system itself to a remote 
system using SSH. The restore utility does the exact reverse. 
So many appliance-style devices do not include this vital fea- 
ture, but the APM does. It is important not to neglect backup 
and restore when evaluating any appliance-type device. Any 
device you depend on for day-to-day administrative operations 
needs to be classified as critical infrastructure and needs to be 
held to the same backup, restore and disaster recovery 
requirements as any other system. 


Suggested Improvement 

The APM is advertised as a way to unify management of 
various devices Cyclades produces. These include Power 
Management (PM Series), KVM (Keyboard Video and 
Mouse switches over IP) and ACS (Console Management). 
At this time, there is no integration for PM or KVM devices 
other than to connect and manage them individually through 
their console ports. According to Cyclades, future releases of 
the APM software will include tightly integrated support for 
PM and KVM ports. Right now, the APM is targeted mainly 
at managing serial console ports. 

One other wish-list feature I would like to see is some 
ability for the APM to do all the initial configuration of a 
new ACS/TS unit. I would like to be able to unbox a new, 
factory-fresh ACS, plug it in to the APM’s private network 
or AUX serial port and have the APM do the configuration 
from the ground up. 


Conclusion 

The APM does a great job at unifying configuration of 
Cyclades’ various serial console management devices. It 
also provides a global naming system for console ports, a 
truly valuable feature. Overall, the APM is a good product, 
comprising well-designed hardware and software. Some 
issues should be addressed by the designers as stated above, 
but these do not affect the overall usability of the device. 
The security issues I listed above can be worked around by 
not allowing local shell access to non-administrative users. 
The APM can manage a maximum of 2,048 console ports 
(or 42 ACS 48-port units), with a maximum of 256 ports in 
use at any one time.# 


Matthew Hoskins is a Senior Linux/UNIX System Administrator for 
The New Jersey Institute of Technology where he maintains 
many of the corporate administrative systems. He enjoys trying 
to get wildly different systems and software working together, 
usually with a thin layer of Perl (locally known as MattGlue). 
When not hacking systems, he often can be found hacking in the 
kitchen. Matt can be reached at matt@nijit.edu. 
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Why is LPI the Global Standard in 
Linux Certification? 


Trusted. 


All Linux Professional Institute certification programs are created using extensive 
community input, combined with rigorous psychometric scrutiny and professional 
delivery. We test the whole continuum of important Linux skills - we don't just focus on 
small, subjective tasks. LPI exams are not simply an afterthought used to help sell 
something else. LPI is anon-profit group that does not sell software, training or books. 
Our programs and policies are designed to meet educational requirements, not 
marketing. 


LPI exams are available in seven languages, at more than 7,000 locations, in more than 
100 countries. You take LPI exams when you want, where you want. In addition, special 
exam lab events around the world make our program even more affordable. And 
because we don't make exclusive partnerships, LPI is supported by a broad range of 
testing centers, book publishers and innovative suppliers of preparation materials. 


You switched to Linux to get away from single-vendor dependence. So why trade one 
form of vendor lock-in for another? LPI's program follows the LSB specification, so 
people who pass our tests can work on all major distributions. Because of its strong 
grass-roots base and corporate support both inside and outside the world of open 
source, LPI goes beyond "vendor-neutral" to truly address community needs. 


LPI is IT certification done RIGHT! 


For more information, please contact us at Linux 
Info@lpi.org or visit us at Professional 
www.lpi.org. Institute 
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The Official Blender 2.3 Guide: Free 
3D Creation Suite for Modeling, 
Animation, and Rendering 


Edited by Ton Roosendaal and Stefano Selleri 


No Starch Press, 2004 | ISBN: 1-59327-041-0 | $49.95 US 


If you are neither an artist nor an animator but have an interest 
in trying 3-D design and animation software on your worksta- 
tion, then Blender 3D is the application for you. As complex as 
this type of application is, Blender 3D is quite approachable due 
to the extraordinary support, including documentation, tutorials 
and demonstrations, produced by the Blender 3D community. 

The Official Blender 2.3 Guide is a published compila- 
tion of on-line resources produced by the Blender 3D com- 
munity. As would be expected from an official guide, the 
contents are authoritative. This book also is comprehensive, 
targeting the full range of Blender 3D users—this is not a 
simple command reference. 

My only issue with the book’s text is the English in some 
passages is grammatically incorrect to the point that the reader’s 
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TOS ROTUNDA. TEPANE UELAEW wt . 
THE OFFICIAL ed, forcing a re- 
read of a sentence 
BLENDER 2.3 GUIDE or two. This is to 
THE OPEN 3D CREATION SUITE be expected, given 


that many of the 
authors do not 
speak English as a 
first language and 
the Blender 
Documentation 
Board decided to 
grant each author 
stylistic latitude. 
These occasional 
lapses are forgiven, 
though, because the 
overall quality of 
the book is so high. 


Due to the 
many supporting images provided throughout the book, readers 
can learn how to use Blender 3D without a workstation as easi- 
ly as with one. In fact, I would not hesitate to recommend 
teaching directly from this text. 

Different types of users are going to approach this book 
from various perspectives. A novice, for example, should 
start at the beginning and work methodically through the text 
in order to learn general design concepts and terminology 
while also learning Blender 3D. An artist already skilled 
with another 3-D application should start at the beginning as 
well, if only to cover the Blender 3D interface. However, an 
experienced Blender 3D artist probably could use the book 
for its reference sections, to explore little-used techniques 
and parts of the program. 

Because it is a cross-platform application, the authors 
present important information about running Blender 3D on 
each platform, including sections about installation and sup- 
ported graphics cards. 

The book comes with a CD that contains Blender 3D 
2.32 source code, binaries for several platforms, documen- 
tation and representative example work. The book also 
offers a glossary, but in my opinion, it does not rise to the 
level of rest of the book. Overall, I highly recommend this 
book to anybody interested in learning about 3-D design 
and animation. 


—JEFFREY BIANCHINE 
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INDEPTH VIA PADLOCK 


VIA 
PadLock— 
Wicked-Fast 
Encryption 


This inexpensive processor offers support for 
the Advanced Encryption Standard, so you can 
do state-of-the-art encryption at wire speed. 
BY MICHAL LUDVIG 


robably everyone who has used encryption soon 

realised that the demand for processor power grew 

instantly. On older systems, the trade-off for using 

encrypted filesystems is slower file operations; on 
newer systems, the trade-off is, at minimum, significantly high- 
er CPU loads. Encrypting network traffic with the IPsec proto- 
col also slows things down, and sometimes you may encounter 
performance problems even on the standard 100Mbps network. 

Options exist, however, for working around these encryp- 

tion/performance trade-offs: 


@ Don’t encrypt: apparently the cheapest solution, but this can 
become very expensive in the long run. 


@ Accept the slowdown: the typical approach. 


™@ Use a standalone cryptography accelerator: a PCI card, for 
example, doesn’t help as much as you might expect, howev- 
er, because the data must traverse the PCI bus more often 
than necessary. 


™@ Use a CPU with VIA PadLock technology. What’s VIA 
PadLock? Read on. 


VIA PadLock 

A while back, VIA introduced a simple but slightly controver- 
sial approach: select some cryptographic algorithms and wire 
them directly in to the CPU. The result was the introduction of 
an 1686 class processor that understands some new instructions 
dedicated to cryptographic functions. This technology is called 
VIA PadLock, and the processor is fully compatible with AMD 
Athlons and Intel Pentiums. 


The PadLock features available on your machine’s proces- 
sor are determined by its version. Processor versions usually 
are written as a family-model-stepping (F/M/S) triplet. Family 
is always 6 for 1686 class CPUs. If the model is 9, your CPU 
has a Nehemiah core; if the model is 10, it has an Esther core. 
The stepping denotes a revision of each model. You can find 
your processor’s version in /proc/cpuinfo. 

Nehemiah stepping 3 and higher offers an electrical noise- 
based random number generator (RNG) that produces good 
random numbers for different purposes. The instruction for 
accessing the RNG is called xstore. As in Intel and AMD pro- 
cessors, the random number generator in VIA processors is 
supported by the hw_random device driver. 

Nehemiah stepping 8 and higher contains two independent 
RNGs and the Advanced Cryptography Engine (ACE). The 
ACE can encrypt and decrypt data using the Advanced 
Encryption Standard (AES) algorithm with three standard key 
lengths — 128, 192 and 256 bytes—in four different modes of 
operation: electronic codebook (ECB), cipher block chaining 
(CBC), cipher feedback (CFB) and output feedback (OFB) 
modes (see the on-line Resources). The appropriate instructions 
are called xcryptecb, xcryptcbe and so on. Later in this article, 
I predominantly use their common group name, xcrypt, instead 
of the mode-specific instruction names. 

Esther stepping 0 and higher inherited two RNG units 
from Nehemiah. ACE was extended with counter (CTR) 
mode support and MAC (Message Authentication Code) 
computation. And there are two new acronyms, PHE and 
PMM. PadLock Hash Engine (PHE) is used for computing a 
cryptographic hash, also known as a digest, of a given input 
block, using the SHA1 or SHA256 algorithm. The proposed 
instruction name is xsha. 

The PadLock Montgomery Multiplier (PMM) is responsi- 
ble for speeding up one of the most time-consuming computa- 
tions used in asymmetric, or public-key, cryptography: A® mod 
M, where A, B and M are huge numbers, usually 1,024 or 
2,048 bits. This instruction is called montmul. 

As noted above, in the rest of this article I mostly speak 
about the xcrypt instruction. Principles described further most- 
ly are valid for other units as well, and xcrypt serves only as an 
example. Also, the terms and concepts covered in this encryp- 
tion discussion apply to decryption as well. 


How to Use PadLock 

In contrast to the external cryptography accelerators usually 
plugged in to PCI slots, the PadLock engine is an integral part 
of the CPU. This fact significantly simplifies its use, because it 
is not necessary to bother with accessing the bus or with inter- 
rupts, asynchronous operations and so on. Encrypting a block 
of memory with xcrypt is as easy as copying it over with the 
movs instruction. 

At this point, encryption is almost an atomic operation. 
Before executing the instruction, the buffer contains plain-text 
input data; a few clock cycles later, when the execution finish- 
es, we have ciphertext. If a task requested processing of a sin- 
gle block, which is 16 bytes in the case of the AES algorithm, 
the operation is fully atomic. That is, the CPU doesn’t interrupt 
it in the middle and doesn’t do anything else until the encryp- 
tion is finished. 

But what if the buffer contains a gigabyte of plain text to 
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be processed? It isn’t good to stop all 
other operations and wait for the 


encryption to finish when it’s this large. 


In such a case, the CPU can interrupt 
the encryption after every single block 
of 16 bytes. The current state is saved, 
and whatever else can be done is 
done— interrupts can be handled and 
processes switched. As soon as the 
encrypting process is restarted, the 
instruction continues from the point at 
which it was suspended. That’s why I 
say this is almost an atomic operation: 
for the calling process it looks atomic, 
but it can be interrupted by a higher- 
priority event. The current processing 
state then is saved into the memory and 
registers of the running process, which 
enables multiple tasks to do encryption 
simultaneously, without the risk of 
mixing their data. Again, it is an analo- 
gous situation to copying memory 
blocks with the movs instruction. 


How Fast Is It? 

According to VIA, the maximum 
throughput on 1.2GHz processors 
exceeds 15Gb/s, which is almost 
1.9GB/s. The benchmarks I have run 
confirm that such a speed could be 
achieved in real-world applications and 
not only in VIA marketing papers, 
which definitely was a nice surprise. 

The actual encryption speed 
depends on two factors, cipher mode 
and data alignment. ECB is the fastest, 
while the most widely used CBC mode 
runs at about half of the ECB speed. 
PadLock requires the data to be aligned 
at 16-byte boundaries, so unaligned 
data must be moved to proper address- 
es first, which takes some time. In 
some cases, the Esther CPU can realign 
the data automatically, but this still 
causes some slowdown. 

Table 1 shows some numbers from 
my testing. The OpenSSL benchmark 
for VIA Nehemiah 1.2GHz produced the 
following results in kB/s. 

The bigger the blocks are, the better 
the results are, because the overhead of 
the OpenSSL library itself is eliminat- 
ed. Encryption of 8kB blocks in ECB 
mode can run at about 1.7GB/s; in 
CBC mode, we get about 800MB/s. In 
comparison to software encryption, 
PadLock in ECB mode is 120 times 
faster on the same processor, and CBC 
mode is 60 times faster. 

Thanks to this speedup, the IPsec on 


100Mbps network runs at almost full 
speed somewhere around 11MB/s. 
Similar speedups can be seen on 
encrypted filesystems. The Bonnie 
benchmark running on a Seagate 
Barracuda in UDMA100 mode pro- 
duced plain-text throughput at a rate of 
61,543kB/s; with PadLock, it was 

49 ,961kB/s, and a pure software 
encryption ran at only 10,005KkB/s. In 
other words, PadLock was only about 
20% slower, while the pure software 
was almost 85% slower than the non- 


encrypted run. See Resources for a link 
to my benchmark page with more 
details and more numbers. 


Linux Support 

So far I have developed Linux support 
for the following packages only for the 
AES algorithm provided by the xcrypt 
instruction, because I haven’t used the 
Esther CPU yet. As soon as I get the 
new processor, I will add support for the 
other algorithms where appropriate. 
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Table 1. The Open SSL Benchmark for VIA Nehemiah 1.2GHz, in kB/s 


11,274.53 


64 bytes 


aes-128-ecb (software) 14,327.79 


256 bytes 


14,608.64 


1,024 bytes 8,192 bytes 


14,672.55 14,693.72 


aes-128-ecb (PadLock) 66,892.82 346,583.52 


910,704.21 


1,489,932.59 183215172 


aes-128-cbc (software) 8,276.27 12,915.75 


13,264.13 


13,313.02 13,322.92 


aes-128-cbc (PadLock) 48,542.30 241,898.79 


Kernel 

When the kernel needs the AES algorithm, it loads by default 
the aes.ko module, which provides its software implementa- 
tion. To use PadLock for AES, you must load the padlock.ko 
module instead. You can do this either by hand with modprobe 
or by adding a single line to /etc/modprobe.conf: 


alias aes padlock 


Now, every time the kernel requires AES, it automatically 
loads padlock.ko too. 

Patches are available for kernel version 2.6.5 and above; see the 
PadLock in Linux home page in Resources. Also, the basic driver 
will be available in the vanilla 2.6.11 kernel without any patching. 


OpenSSL 
Those amongst us who are brave enough to use recent CVS 
versions of OpenSSL already have PadLock support. Users of 
OpenSSL 0.9.7 have to patch and rebuild the library, or they 
can use a Linux distribution that has the patch already included 
in its packages, such as SUSE Linux 9.2. 

To see if your OpenSSL build has PadLock support, run 
this simple command: 


$ openssl engine padlock 
(padlock) VIA PadLock (RNG, ACE) 


If instead of (RNG, ACE) you see (no-RNG, no-ACE), it 
means that your OpenSSL installation is PadLock-ready, but 
your processor is not. You also could see an ugly error message 
saying that there is no such engine. In that case, you should 
upgrade or patch your OpenSSL library. 

For programs that use OpenSSL for their cryptography 
needs to enjoy PadLock support, they must use the so-called 
EVP_interface and initialize hardware accelerator support 
somewhere at the beginning of their runs: 


#include <openssl/engine.h> 

int main () 

{ 
[...] 
ENGINE_load_builtin_engines(); 
ENGINE_register_all_complete(); 
[...] 


523,706.28 


745,157.61 846,402.90 


See the evp(3) man page from the OpenSSL documentation 
for details. 

In SUSE Linux 9.2, for example, OpenSSH has a similar 
patch to let you experience much faster scp transfers over the 
network. 


Binutils 

To use PadLock in your own programs, you either can call the 
instruction by name—for example, xcryptcbe—or write its 
hexadecimal form directly: 


byte Oxf3,0xOf,0xa7,Oxd0 


For backward compatibility with older development tools, 
it is safer to use the opcode form. Binutils versions 2.15 and 
newer, however, already understand the symbolic names where 
appropriate, for example, in gas (GNU assembler) or objdump 
programs. The binutils’ BFD-library responsible among other 
things for instruction-level operations also is used in the GNU 
debugger gdb. A sample instruction dump of an encryption 
function may be as simple as: 


(gdb) x/3i $pc 

0x8048392 <demol1+14>: lea 0x80495f0, %edx 
0x8048398 <demo1+20>: repz xcryptecb 
0x804839c <demol+24>: push %eax 


As you might have guessed, SUSE Linux 9.2 has PadLock 
patches in all the appropriate packages, and you can enjoy 
PadLock support out of the box. If your distribution does not 
have these patches, check out my Linux PadLock home page in 
Resources for the available patches. 


Programming PadLock 

In the following sections, I describe some guidelines for pro- 
gramming PadLock, including details of xcryptcbc. I also 
explain how to set up PadLock for encrypting a buffer of 
data with the AES algorithm and a key length of 128 bits in 
CBC mode. All other instructions of the xcrypt group are 
used in exactly the same way. Other PadLock functions 
apply similar rules. 


xcryptcbc 
xcryptcbe does not have any explicit operands. Instead, every 
register has a given, fixed function: 
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m ESI—source address. 

m EDI—destination address. 

m EAX~— initialization vector address. 

m EBX—cipher key address. 

m ECX—number of blocks for processing. 
m= EDX—control word address. 


Unless written otherwise, all addresses must be aligned at 
16-byte boundaries. 


ESI/EDI—Addresses of the Source/Destination Data 

Both source and destination addresses can be the same, so it is 
possible to encrypt in place. The size of the destination buffer 
must be at least the size of the source one. Both must be a mul- 


decryption. 


m™ Keygen—did we prepare the expanded key or should 
PadLock compute it itself? 


@ Rounds—internal value of the algorithm; see the explana- 
tion later in the text and in PadLock documentation. 


In C, we can use union to allocate the appropriate space 
for the structure and a bit field to describe and access its 
items easily: 


union cword { 
uint8_t cword[16]; 
struct { 
int rounds:4; 
int algo:3; 
int keygen:1; 
int interm:1; 


tiple of the block size, 16 bytes. Under some circumstances, int encdec:1; 
the Esther CPU allows processing of unaligned buffers, but the int ksize:2; 


operation is slower. 


EAX—Initialization Vector Address 


The initialization vector (IV) is one of the parameters on which 
the result of the encryption depends. The size of the IV is the 


same as the block size, which is 16 
bytes. Consult the literature for details 
about initialization vectors. 


EBX—Cipher Key Address 

Cipher keys can have one of the follow- 
ing sizes: 128, 192 or 256 bits. The 
AES algorithm internally uses a so- 
called expanded key, which is derived 
from the given cipher key. For 128-bit 
keys, the expanded key can be comput- 
ed by PadLock. For longer keys, you 
must compute it yourself. 


ECX—Number of Blocks to Process 
The xcrypt instruction always is used 
with the rep prefix, which enables its 
repetitive execution unless the ECX 
register is zero. The value in ECX is 
decremented after each block is 
encrypted or decrypted. 


EDX—Control Word Address 

To let PadLock know exactly how 

to process the data, we must fill a 
structure called control word with the 
following items: 


m@ Algorithm—you can choose only 
AES. 


™ Key size—one of the supported sizes. 


@ Enc/Dec—direction: encryption or 


$3 


Assembler Example 
Now that we know all the theory, it’s time for a real example. 
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Encrypting a block of 
memory with xcrypt is as 
easy as copying it over 
with the movs instruction. 


To begin, here are some lines of pure assembler: 


comm iv,16,16 
comm key, 16,16 
comm data,16,16 
.comm cword,16,16 


etext 

cryptcbc: 
movl $data, %esi #; Source address 
movl %esi, %edi #; Destination 
movl $iv, %eax #; IV 
movl $key, %ebx #; Cipher key 
movl $cword, %edx #; Control word 
movl $1, %ecx #; Block count 
rep xcryptcbc 
ret 


This piece of code encrypts one block of data with a cipher 
key and an initialization vector, following the parameters set in 
control word cword. Notice that we use the same address for 


both source and destination data, therefore we encrypt in-place. 


Because the field data has a size of only a single block, we set 
the ECX register to one. 


C Language Example 

To use PadLock directly in a C program, we can write the 
PadLock routines to separate assembler source files, then com- 
pile to standalone modules and finally link to our binary. It 
often is easier, though, to use the GCC inline assembler and 
write the instructions directly in the C code. See Resources for 
a link to a tutorial on the inline assembler. 


static inline void * 

padlock_xcryptcbc(char *input, char *output, 
void *key, void *iv, void *control_word, 
int count) 


asm volatile ("xcryptcbc" 

> "+S"(input), "+D"(output), "+a" (iv) 

: "c"(count), "d"(control_word), "b"(key)); 
return iv; 


This code instructs the compiler to load the given values of 


input, count and other parameters into the appropriate registers. 


It then is told to issue the xcryptcbe instruction and, finally, to 
return the value found in the EAX register as a pointer to the 
new initialization vector. 


To be successful here, we also must fill in the control word 
structure correctly. First of all, it is a good idea to clear the 
union to avoid using any irrelevant values that might be in the 
memory: 


memset(&cword, 0, sizeof(cword)); 


Now let’s fill in the fields one by one. The first one in the 
list is rounds. This item specifies how many times AES pro- 
cessing should be run with the input block, each round using a 
unique part of the expanded key. To comply with the FIPS AES 
standard, use 10 rounds for 128-bit keys, 12 rounds for 192 
bits and 14 rounds for 256 bits. Should the key_size variable 
contain the length of the cipher key in bytes, this is how we get 
the rounds value: 


cword.b.rounds = 10 + (key_size - 16) / 4; 


The next field is algo. This is reserved to let you choose 
future encryption algorithms instead of AES, although 
AES is the only option at the moment. Therefore, leave 
zero here. 

The keygen field must be set to one if we prepare the 
expanded key ourselves. Zero means that PadLock should gen- 
erate it instead, but that is possible only for 128-bit keys: 


cword.b.keygen = (key_size > 16); 


The item interm enables the storing of intermediate results 
after each round of the algorithm is run. I suspect the CPU 
architects used this field for debugging their core, and I don’t 
see much sense in setting this in the program. 

Encryption is distinguished from decryption by the bit 
encdec. Zero is encryption; one is decryption. 

Finally, we must set the key size in the two bits of ksize: 


cword.b.ksize = (key_size - 16) / 8; 


That’s it. With this prepared control word structure and 
properly aligned buffers, we can call padlock_xcryptcbc(). If 
the electrons are on our side, in a short while we receive the 
encrypted data. 


Conclusion 
PadLock documentation is available publicly on the VIA Web 
site; there you can find further information about PadLock pro- 
gramming caveats. The complete example program for 
encrypting one block of data, including verification of the 
result, can be found on my PadLock in Linux home page. See 
Resources for additional links. 

Resources for this article: www.linuxjournal.com/article/ 
8137.8 


Michal Ludvig (michal@logix.cz) recently moved 

from Prague in the Czech Republic to Auckland on ) 
the other side of the world to work as a senior z 
engineer for Asterisk Ltd. He enjoys exploring the 

secrets of New Zealand with his wife and daughter. 
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INDEPTH GCC 


Writing a 
GCC Front 
End 


Language designers rejoice! Now it’s easier to 
put a front end for your language onto GCC. 
BY TOM TROMEY 


CC, the premier free software compiler suite, has 

undergone many changes in the last few years. One 

change in particular, the merging of the tree-ssa 

branch, has made it much simpler to write a new 
GCC front end. 

GCC always has had two different internal representations, 
trees and RTL. RTL, the register transfer language, is the low- 
level representation that GCC uses when generating machine 
code. Traditionally, all optimizations were done in RTL. Trees 
are a higher-level representation; traditionally, they were less 
documented and less well known than RTL. 

The tree-ssa Project, a long-term reworking of GCC inter- 
nals spearheaded by Diego Novillo, changes all that. Now, 
trees are much better although still imperfectly documented, 
and many optimizations are done at the tree level. A side effect 
of this work on trees was the clear specification of a tree-based 
language called GENERIC. All GCC front ends generate 
GENERIC, which is later lowered to another tree-based repre- 
sentation called GIMPLE, and from there it goes to RTL. 

What this means to you is that it is much, much simpler to 
write a new front end for GCC. In fact, it now is feasible to 
write a front end for GCC without any knowledge of RTL 
whatsoever. This article provides a tour of how you would go 
about connecting your own compiler front end to GCC. The 
information in this article is specific to GCC 4.0, due to be 
released in 2005. 


Representing the Program 

For our purposes, compilation is done in two phases, parsing 
and semantic analysis and then code generation. GCC handles 
the second phase for you, so the question is, what is the best 
way to implement phase one? 

Traditional GCC front ends, such as the C and C++ front 
ends, generate trees during parsing. Front ends like these typi- 
cally add their own tree codes for language-specific constructs. 
Then, after semantic analysis has completed, these trees are 
lowered to GENERIC by replacing high-level, language-spe- 
cific trees with lower-level equivalents. One advantage of this 
approach is the language-specific trees usually are nearly 


GENERIC already. The lowering phase often can prevent too 
much garbage from generating. 

The primary disadvantage of this approach is trees are 
typed dynamically. In theory, this might not seem so bad— 
many dynamically typed environments exist that can be used 
efficiently by developers, including Lisp and Python. However, 
these are complete environments, and GCC’s heavily macro- 
ized C code doesn’t confer the same advantages. 

My preferred approach to writing a front end is to have a 
strongly typed, language-specific representation of the pro- 
gram, called an abstract syntax tree (AST). This is the 
approach used by the Ada front end and by gcjx, a rewrite of 
the front end for the Java programming language. 

For instance, gcjx is written in C++ and has a class hierar- 
chy that models the elements of the Java programming lan- 
guage. This code actually is independent of GCC and can be 
used for other purposes. In gcjx’s case, the model can be low- 
ered to GENERIC, but it also can be used to generate bytecode 
or JNI header files. In addition, it could be used for code intro- 
spection of various kinds; in practice, the front end is a 
reusable library. 

This approach provides all the usual advantages of a 
strongly typed design, and in the GCC context, it results in a 
program that is easier to understand and debug. The relative 
independence of the resulting front end from the rest of GCC 
also is an advantage, because GCC changes rapidly and this 
loose coupling minimizes your exposure. 

Potential disadvantages of this approach are the possibili- 
ties that your compiler might do more work than is strictly 
needed or use more memory. In practice, this doesn’t seem to 
be too important. 

Before we talk about some details of interfacing your 
front end to GCC, let’s take a look at some of the documen- 
tation and source files you need to know. Because it hasn’t 
been a priority in the GCC community to make it simpler to 
write front ends, some things you need to know are docu- 
mented only in the source. The documentation references 
here refer to info pages and not URLs, because GCC 4.0 has 
not yet been released. Thus, the Web pages reflect earlier 
versions. Your best bet is to check out a copy of GCC from 
CVS and dig around in the source. 


® gcc/c.opt: describes command-line options used by the C 
family of front ends. More importantly, it describes the for- 
mat of the .opt files. You’ll be writing one of these. 


™ gcc info page, node Spec Files (source file gec/doc/invoke.texi): 
describes the spec mini-language used by the GCC driver. 
You'll write some specs to tell GCC how to invoke your 
front end. 


™ gccint info page, node Front End (source file 
gcc/doc/sourcebuild.texi): describes how to integrate your 
front end into the GCC build process. 


™ gccint info page, node Tree SSA (source file gcc/doc/ 
tree-ssa.texi): describes GENERIC. 


®@ gcc/tree.def, gcc/tree.h: some attributes of trees don’t seem 
to be documented, and reading these files can help. 
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tree.def defines all the tree codes 
and is, in large part, explanatory 
comments. tree.h defines the tree 
node structures, the many accessor 
macros and declares functions that 
are useful in building trees of vari- 
ous types. 


@ libcpp/include/line-map.h: line maps 
are used to represent source code 
locations in GCC. You may or may 
not use these in your front end—gcjx 
does not. Even if you do not use 
them, you need to build them when 
lowering to GENERIC, as informa- 
tion in line maps is used when gener- 
ating debug information. 


® gcc/errors.h and gcc/diagnostic.h: 
define the interface to GCC’s error 
formatting functions, which you may 
choose to use. 


®@ gcc/gdbinit.in: defines some GDB 
commands that are handy when 
debugging GCC. For instance, the pt 
command prints a textual representa- 
tion of a tree. The file .gdbinit also is 
made in the GCC build directory; if 
you debug there, the macros immedi- 
ately are available. 


@ gcc/langhooks.h: lang hooks are a 
mechanism GCC uses to allow front 
ends to control some aspects of 
GCC’s behavior. Each front end must 
define its own copy of the lang hooks 
structures; these structures consist 
largely of function pointers. GCC’s 
middle and back ends call these 
functions to make language-specific 
decisions during compilation. The 
lang hooks structures do change 
from time to time, but due to the way 
GCC expects front ends to initialize 
these structures, you largely are 
insulated from these changes at the 


way to write a front end that is built sep- 
arately and linked against an installed 
GCC. For this step, read through the 
appropriate section of the GCC manual 
to find out how to write the build infras- 
tructure needed for your front end. 
Ordinarily, the simplest way is to copy 
another front end’s files and modify 
them to suit. 

Next, write two files to help inte- 
grate your front end into the GCC driver 
program. The lang-specs.h file describes 
your front end to the GCC driver. It tells 


the driver the file extensions that, when 
seen on the command line, should cause 
GCC to invoke your front end. It also 
gives the driver some instructions for 
what other programs must be run, such 
as whether the assembler should be run 
after your front end and how to pass or 
modify certain command-line options. It 
may take a while to write this file, as 
specs are their own strange language. 
However, examples in the other front 
ends can help. 

The lang.opt file describes any com- 
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source level. Some of these lang Characters and Image 004 Brad Fitzpatrick, ActiveEdge. All Rights Reserved. 
hooks are not optional, so your 
front end is going to implement 
them. Others are ad hoc additions 
for particular problems. For instance, 
the can_use_bit_fields_p hook was 
introduced solely to work around an 
optimization problem with the current 
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Writing the Driver 
Currently, GCC requires your front end 
to be visible at build time—there is no 
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mand-line options specific to your front end. This is a plain- 
text file written in a straightforward format. Simple options, 
such as warning flags, can be put in lang.opt and do not require 
any other code on your part. Other arguments have to be han- 
dled by a lang hook you must write. 

Next, implement the lang hooks needed to drive the compi- 
lation process. The important ones in this category are: 


™ init_options: the first call made to your front end, before any 
option processing is done. 


@ handle_option: called to handle a single command-line 
option. 


® post_options: called after all command-line processing has 
been done. This lang hook also is a convenient place to 
determine the name of the input file to parse. 


@ init: called after post_options to initialize your front end. 


@ finish: called after all compilation is done. You can use this 
to clean up after your front end, if necessary. 


™ parse_file: a lang hook that does all the parsing, semantic 
analysis and code generation needed for the input file. It 
does all the actual work of compilation. 


Initialization 

GCC needs your front end to do some initialization. Most of 
GCC is self-initializing, but in order to accommodate the needs 
of different front ends, it is possible to initialize some tree- 
related global variables in atypical ways. I recommend not try- 
ing to delve too deeply into this. It is simpler to define the 
standard tree nodes in the standard ways and to think up your 
own names for trees representing, say, the standard types in 
your language. 

During initialization call build_common_tree_nodes, 
set_sizetype and build_common_tree_nodes_2. set_sizetype 
is used to set the type of the internal equivalent of size_t; it 
is simplest to set this always to long_unsigned_type_node. 

Other setup steps can be done in this phase. For 
instance, in the initialization code for gcjx, we build types 
representing various structures that we need to describe 
Java classes and methods. 


Compiling to GENERIC 
Your parse_file lang hook calls your compiler to generate 
your internal data structures. Assuming this completes 
without errors, your front end now is ready to generate 
GENERIC trees from your AST. In gcjx, this is done by 
walking the AST for a class using a special visitor API. The 
GENERIC-specific implementation of this API incremen- 
tally builds trees representing the code and then hands this 
off to GCC. 

All the details of generating trees are outside the scope of 
this article. Below are examples, however, showing three major 
tree types so you can see what each looks like. 


Type 
One kind of tree represents a type. Here is an example from 


gcjx of the Java char type: 


tree type_jchar = make_node (CHAR_TYPE) ; 
TYPE_PRECISION (type _jchar) = 16; 
fixup_unsigned_type (type _jchar); 


You can represent any type using trees. In particular, there 
are tree types representing records, unions, pointers and inte- 
gers of various sizes. 


Decl 

Decl represents a declaration or, in other words, a name given 
to some object. For instance, a local variable in the source code 
is represented by a decl: 


tree local = build_decl (VAR_DECL, get_identifier ("variable_name"), 
type_jchar) ; 


There are decls representing various named objects in a 
program: translation units, functions, fields, variables, parame- 
ters, constants, labels and types. A type decl represents the dec- 
laration of the type, as opposed to the type itself. 


Expr 

Many kinds of expr trees are available that represent the vari- 
ous kinds of expressions in a program. These are similar to C 
expressions but are more general in some ways. For instance, 
trees do not distinguish between if statements and conditional 
expressions — both are represented by a COND_EXPR, with 
the only difference being that an if statement has void type. 
Here’s how we can build an expression that adds our variable 
to itself: 


tree addition = build2 (PLUS_EXPR, type_jchar, local, local); 


Trees that represent statements are linked together using a 
special iterator API. Here is how we would chain together two 
statements, sl and s2: 


tree result = alloc_stmt_list (); 
tree_stmt_iterator out = tsi_start (result); 


tsi_link_after (&out, s1, TSI_CONTINUE_LINKING) ; 
tsi_link_after (&out, s2, TSI_CONTINUE_LINKING) ; 


// Now 'result' holds the list of statements. 


Other kinds of tree nodes exist; read tree.def and the manu- 
al for a more complete understanding. It also is possible for a 
front end to define its own tree codes; however, if you have 
your own AST, you should not need to do this. 

The overall structure of the program you generate probably 
is going to resemble a translation unit decl, which would con- 
tain types, variables and functions. 


Handoff 

Once you’ve built the trees representing a function, a global 
variable or a type for which you want to generate debugging 
information, you need to pass the tree to the appropriate func- 
tion to handle the rest of compilation. Three such functions are 
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available at present: rest_of_decl_compilation handles compi- 
lation for a decl node, cgraph_finalize_function handles compi- 
lation for a function and rest_of_type_compilation handles 
compilation for a type. 


Debugging 

Although GCC has a fair number of internal consistency 
checks, it still is too easy to provoke crashes in code that are 
unrelated to your front end. In many cases, you can move up 
the stack, printing whatever trees are being manipulated, until 
you find some discrepancy caused by incorrect tree generation. 
This technique requires surprisingly little general GCC knowl- 
edge in order to effectively debug your code. 

GCC has some handy debug functionality. In the debugger 
you can call the debug_tree function to print a tree. You also 
can use the -fdump-tree family of command-line options to 
print trees after various passes have been run. 


Experience 

My experience writing gcjx has been that lowering its 
strongly typed intermediate representation to trees is quite 
simple. The tree back end to gcjx, one back end among sev- 
eral, represents roughly 10% of the total code of the compil- 
er. Although unfinished, it currently weighs in at 6,000 lines 
of code (raw wc -1 count)—around the same size as the 
bytecode back end. One inference to draw from this is if 
you already have a compiler, the task of attaching it to GCC 
can be accomplished easily. 

As trees are high-level, I haven’t looked at any RTL while 
writing this front end. I haven’t spent any time at all thinking 
about or dealing with processor-specific issues. Unless your 
language has some esoteric requirements, this ought to hold for 
you as well. 

The statically typed AST in gcjx is easily reused. Currently, 
there are four back ends, and I expect to write more later. For 
instance, it would be simple to build a back end that writes a 
cross-reference representation of the program to a database. Or, 
it would be possible to write a back end that walks the AST 
searching for typical errors, akin to the FindBugs program. 
This consideration would be even more compelling for lan- 
guages, which, unlike Java, don’t already have a wealth of 
analysis tools. 


Future Directions 
The process of writing a front end certainly could be 
made even easier. For instance, there is no need to require 
lang-specs.h. Instead, a front end could install a description 
file that the GCC driver would read at startup. Similarly, 
lang.opt probably could be dispensed with. With more work, 
it even would be possible to compile front ends separately 
from the rest of GCC. 

Resources for this article: www.linuxjournal.com/article/ 
8138.8 


Tom Tromey has been involved with free software 
since 1991 and has worked on many different pro- 
grams. He currently is employed as an engineer at 
Red Hat, working on GG. 
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INDEPTH LINUX IN THE CLASSROOR 


Linux in the 
Classroom: an 
Experience with 
Linux and Open- 
Source Software 
in an Educational 
Environment 


Formerly tied to one proprietary OS, this multicampus college is broad- 
ening students’ horizons with Linux, Samba, SquirrelMail and more. 
BY JOSEPH RUFFOLO AND RON TERRY 


ountainland Applied 

Technology College 

(MATC) is one of several 

campuses that are a part of 
the Utah College of Applied Technology 
(UCAT) system. Our department teaches 
information technology courses to both 
high-school and adult students. We pro- 
vide individual technology courses, 
short-term intensive training (STIT) 
courses, custom fit courses and an edu- 
cation track that ends with an Associate 
of Applied Technology degree or 
Certificate of Completion in Information 
Technology. We currently have two 
satellite sites with a probability of 
adding two more in the 2005-2006 
school year. 

Until the last few years, we had 
relied solely on Microsoft operating sys- 
tems in our classrooms. Unfortunately, 
when you give students sufficient 
rights to work on their course material 
and labs, spyware and viruses are 
introduced despite your best uses of 
firewalls and virus scanners. These 
problems have entered the network 
through means such as Web surfing, 
floppies and USB thumbdrives. 


Our Evolving Use of Linux 

Starting with the 2001-2002 school 
year, Mountainland Applied 
Technology College began offering 
Linux courses at the Orem MATC cam- 
pus. Over the next several years, our 
Linux class enrollments and course 
offerings continued to grow, matching 
the growing use of Linux at home and 
in businesses. Coupled with individual 
Linux distribution evaluations, teaching 
these courses was a convincing experi- 
ence that Linux was a viable operating 
system for the IT department’s infra- 
structure and for hosting courseware on 
our classroom machines. 

At the start of the 2000-2001 school 
year, individual classroom servers were 
running either Microsoft Windows 2000 
or Novell Netware. We started using a 
Linux-based firewall/router product 
called Freesco in the individual class- 
rooms to help deal with the increasing 
amount of malware and the security 
inadequacies of Windows. 

During the 2001-2002 school year, 
a Windows 2000 system continued as 
the main classroom server. Up until this 
time we still had no main department 


server. We brought up a system with 
Linux as a secondary server and started 
working on integrating Linux into 
Microsoft Active Directory with great 
difficulty and little success. We tried 
using Microsoft Services for Unix, 
winbind (Samba 2.2.x) and pam_smb, 
but we still couldn’t make things work 
well and temporarily abandoned our 
attempt to integrate Linux authentica- 
tion with Active Directory. During 
this school year, we also taught our 
first Linux course for CompTIA 
Linux+ certification. 

During the 2002-2003 school year, 
we replaced the classroom Windows 
2000 server with a Linux system run- 
ning Mandrake 9.1. We had an 
epiphany, so to speak, when we changed 
our paradigm in relation to what to use 
on our server(s) in the back end. We dis- 
covered that using Linux for the back 
end made it a much easier task to inte- 
grate different operating systems, such 
as Microsoft and Linux, as opposed to 
using Windows and Active Directory as 
the back end. 

During the second half of the school 
year, various Linux distributions, such 
as Red Hat 9 beta and Mandrake 9.1, 
were beta tested on the desktop. NIS 
was used for user authentication on 
Linux clients and Samba, as a domain 
controller, for user authentication in 
Windows. Although this setup worked, 
it was frustrating to deal with multiple 
passwords for the same user account, 
and we started looking for a better solu- 
tion. During this school year, we also 
taught the first incarnation of our Linux 
Server Administration course, using 
what we had learned through our experi- 
ences up to this point. 

The 2003-2004 school year was a 
time when Linux technology, other 
open-source software and our under- 
standing and ability to use it all caught 
up with their promised potential. The 
main IT classroom servers were moved 
from NetWare and Windows 2000 to a 
single department server running Linux, 
in this case Mandrake 9.1. We started 
using OpenLDAP as a central repository 
for user authentication. LDAP was used 
as the back-end database for Samba, and 
we used the pam_ldap modules for 
Linux client authentication. We started 
using Linux on the desktop—initially 
Red Hat 9, Fedora Core 1 or SUSE 9— 
as the default option in a dual-boot con- 


82HMAY 2005 WWW.LINUXJOURNAL.COM 


figuration with Windows XP Pro. At this 
time, the majority of our students chose 
the Windows option with a few brave 
souls trying Linux. 

We also retained Windows because 
several courseware packages either 
required Microsoft products, including 
the Windows OS, Internet Explorer or 
Media Player, or the browsers avail- 
able for Linux were not sufficiently 
Microsoft-Internet-Explorer-compati- 
ble to use some sites. All things con- 
sidered, we were pleased with the sta- 
bility of Linux on the desktop. We 
were impressed particularly with the 
virtual elimination of problems with 
viruses, spyware and overly curious 
students that we suffered with desktop 
Windows systems. 

The 2004—2005 school year has 
proved to be one of continued and sig- 
nificant improvements. We upgraded 
the main Information Technology 
department server to Fedora Core 2 to 
gain the advantages of the Linux 2.6 
kernel. We also started offering students 
in the Information Technology depart- 
ment e-mail using Postfix, Dovecot and 
SquirrelMail, with filtering provided by 
SpamAssassin and ClamAV. On the 
Microsoft compatibility front, we 
upgraded to Samba 3, which provides 
much better integration with 
OpenLDAP and creates a new opportu- 
nity for us in our quest for a true single 
sign-on solution. 

We now have an environment where 
our users can log in to either Linux or 
Windows XP Pro using the same user 
name and password. Linux clients 
authenticate using pam_Idap, and users 
have home directories stored on the 
server, shared via NFS and dynamically 
mounted at login time using autofs. 
Windows clients are joined to a domain 
controlled by Samba, allowing users to 
authenticate using the same account 
information, user name and password as 
they would if they were logging in toa 
Linux client. The same home directories 
on the server that are used with Linux 
are available in Windows through auto- 
matic drive mappings. Windows users’ 
roaming user profiles also are stored in 
their home directories on the server. 

To take a step further in the single 
sign-on arena, users also use the same 
account information to access their e- 
mail. We have provided Web-based 
access to e-mail, which also is stored in 


their home directories on the server, 
through SquirrelMail. Standard POP3 or 
IMAP access is provided by Dovecot. 
Fedora Core 2 or Fedora Core 3 is 
the primary desktop operating system, 
depending on the lab. Windows XP Pro 
also is available as a dual-boot option in 
some labs, but we strongly encourage 
our students to use Linux. We are find- 
ing that, for the most part, our students 
have had little difficulty making the 
switch to using Linux as their primary 
desktop operating system. In many 


cases, they are enjoying it more than 
Windows because of the capabilities of 
KDE and GNOME to be customized to 
a user’s individual taste. 

To support software updates and 
patches between re-imaging, we have 
set up a centralized software/package 
repository on our main IT department 
server that mirrors the updates available 
on the Web. The lab servers at the 
remote sites then mirror a copy of the 
updates from the main server. The indi- 
vidual Linux clients in each lab then are 
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INDEPTH LINUX IN THE CLASSROOM 


DESKTOP AND 
SERVER SOFTWARE 


Server Software Configuration 


OS Distribution: Fedora Core 2 
Email: 


MTA: Postfix 


LDA/MDA: procmail + 
Dovecot IMAP 


MUA: SquirrelMail 


Filtering: SpamAssassin + 
ClamAV 


User Database: OpenLDAP 


User Management: 
phpLDAPAdmin 


Package Management/Updates: 
APT, APT4RPM, Synaptic and 
YAM (for repository mirroring) 


Web Serving: Apache 
File Serving: Samba + NFS 


Desktop Software Configuration 
OS Distribution: Fedora Core 3 


Desktop Environment: KDE 3.3 
and GNOME 2.6 


Office Suite: OpenOffice.org 1.1.x 
(We are testing CrossOver 
Office with Microsoft Office 
XP as a fallback option.) 


Web Browser: Firefox 


Package Management: APT + 
Synaptic 


scheduled to pull the updates from their 
respective lab server using apt4rpm. 
This method allows for better bandwidth 
usage, particularly for our sites connect- 
ed via T1, and a controlled set of soft- 
ware and patches. 

What we have developed on our 
main campus is a robust infrastructure 
free from many of the problems related 
to Microsoft Windows. Samba has 
replaced Windows as our domain con- 
troller for those desktops that need to 
run Windows. The latest version of 
OpenLDAP has proven robust, and 
Samba, Apache, Postfix and PAM take 


Moin Server ~ Linux OS 
* LDAP Authentication 

~ File Storage 

~ E-mail server 

~ Web server 

~ File coptcation 

+ RPM Repository 


Figure 1. MATC Infrastructure 


Park City firewall 
and local server 


American 
Fork Firewall 


full advantage of its capabilities. Refer 
to Figure | to see the complete MATC 
infrastructure. 


Linux Use at Remote Campuses 

The MATC main campus is in Orem, 
Utah, and we have a secondary campus 
in American Fork, Utah, approximately 
10 miles away, that is connected to the 
main campus by a T1 line. We also have 
a lab in Park City, Utah, approximately 
50 miles away, that we share through a 
partnership with the Park City School 
District. 

During the 2003—2004 school year, 
the IT classroom at the American Fork 
campus was configured with a system 
running a Linux-based firewall and a 
separate server based on Fedora Core 2. 
That server hosted Linux distribution 
ISO images, pre-made VMware and 
VirtualPC images and files related to the 
courses the students were taking. It also 
provided some storage space for the stu- 
dents’ work. The workstations ran 
Windows XP Pro, and all students 
logged in using a single user name and 
password local to the workstation. 

Recently, during the 2004—2005 
school year, the American Fork server 
has been upgraded to Fedora Core 3 
with the latest versions of Samba, 
OpenLDAP and other software. The 
server now provides DNS and DHCP 
services, stores the home directories for 
the students that attend IT classes at that 
site and acts as the backup domain con- 
troller for the Windows clients in that 


lab. All course-related data is synchro- 
nized daily from the main server at our 
Orem campus using rsync. The firewall 
provides filtering and NAT masquerad- 
ing and handles all of the Internet traffic 
for the workstations in that lab. Linux 
clients mount the home directories 
stored on the server using NFS. The 
main IT department server in Orem pro- 
vides user authentication for all users. 

All LDAP requests, generated either 
by the Linux clients or the Samba server 
on behalf of the Windows clients, are 
tunneled through OpenSSL to provide 
security. Although funneling all authen- 
tications back to our main campus is not 
an ideal solution, it has turned out to be 
surprisingly trouble free and highly reli- 
able. We had to resort to this method 
because our attempts to use slapd to 
synchronize the LDAP servers between 
the Orem campus and American Fork 
campus often were interrupted due to 
circumstances beyond our control, such 
as high traffic volume and line unrelia- 
bility. I must interject that we only pro- 
vide computer services for our depart- 
ment and not the entire school. The 
result of these interruptions was the 
LDAP directory being out of sync 
between these servers. 

The shared lab in Park City is locat- 
ed in the Park City Learning Center. As 
a member of the Park City School 
District (PCSD) network, the PCs and 
network are locked down tightly and 
administered by the highly competent 
PCSD IT staff. In discussions with the 


84H MAY 2005 WWW.LINUXJOURNAL.COM 


Firewall 

Pentium 2/3 based PC running 

Linux firewall software 

- DHCP 
NAT 

- Routing 


Typical classroom PC 
Dual Boot - Linux/Windows 
«Linux and Windows Vmware 
- Windows Virtual PC 

« Open Office 

+ MS Office 


Local Server - Linux OS 

- Local storage 

ISO files 

+ Vmware and Virtual PC image files 

~ Course files (replicated from main server) 


Figure 2. At each remote campus, one Linux file server offers local clients fast access to large files, while a 


Linux firewall also functions as a DHCP server. 


school district IT staff, we reviewed 
some issues with security that had 
impacted our ability to teach IT courses 
during the 2003-2004 school year. We 
jointly decided on a plan to include a 
Linux-based server that would provide 
Network Address Translation (NAT), 
DHCP and routing, along with hosting 
Linux distribution ISO images, pre- 
made VMware images and files related 
to the courses the students were enrolled 
in, plus some storage space for our stu- 
dents. Seventeen lab PCs were imaged 
to dual-boot into Windows XP or Fedora 
Core 2. The PCSD IT staff, with the 
excellent help of Harold Hanson, pro- 
vided a VLAN that isolated the Linux 
server, yet allowed us to change connec- 
tions quickly so that Windows XP users 
still could authenticate into the PCSD 
Novell network. This enables us to pro- 
vide authentication and other services 
for our students while they are in the 
lab, while not interfering with the PCSD 
IT staff’s ability to maintain the network 
for their students. 

The setup in the Park City lab is 
similar to that in the American Fork lab. 
The lab server provides file, print, name 
and address services as well as a mirror 
of the software and patch updates for the 
Linux clients. The main server at our 
Orem campus, using SSL to secure the 
transmissions, still provides all user 
authentications. Refer to Figure 2 to see 


our infrastructure template for remote 
campuses. 


Conclusion 

We have, over the past few years, devel- 
oped a system based around Linux and 
open-source software that allows us to 
provide computing services for our stu- 
dents to enhance their learning experi- 
ence in a manner that is both easy to 
maintain and simple to extend and repli- 
cate. It also has been quite inexpensive 
to implement, maintain and update. For 
those in the educational realm, cost is 
extremely important given the limited 
financial resources available to most 
secondary and post-secondary institu- 
tions. There is no doubt that more and 
more schools and businesses will move 
in a direction similar to ours as Linux 
and open-source software become more 
recognized and usable. This is one of the 
primary reasons that we are working so 
hard to provide Linux and open-source 
software training. All of our Linux 
courses have been influenced by our 
own experiences and include instruction 
in most if not all of the techniques that 
we have developed and refined. 

Our journey with Linux and open- 
source software is far from over. We 
continue to refine and explore new areas 
to meet our current and future needs. 
Things we are working on and plan for 
the future include: 


™@ Testing new groupware solutions, 
such as eGroupWare and 
OpenGroupWare. 


m@ Testing Windows applications inte- 
gration with Linux, using products 
such as CodeWeavers CrossOver 
Office. 


m Testing and implementing new Linux 
distributions, such as Fedora Core 3 
and future versions of Fedora. 


@ Increasing use of OpenLDAP as a 
central user and service information 
database. 


m@ Using new features of OpenLDAP, 
including LDAP sync replication. 


@ Perfecting software updates from our 
mirrored apt repositories. 


m@ Implementing other centralized admin- 
istration and management techniques. 


@ Creating, revising and deploying 
hardware and software templates for 
labs and remote campus sites.# 
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INDEPTH about:config 


Ten 
Mysteries of 
about:config 


Move along, nothing to see here. Some Firefox 
preferences are just too technical for end users. 
Oh, youTe a Linux Journal reader? Come on in. 
BY NIGEL MCFARLANE 


he Firefox Web browser, built by the Mozilla 

Foundation and friends is a complicated piece of tech- 

nology—if you care to look under the hood. It’s not 

obvious where the hood catch is, because the surface 
of Firefox (its user interface) is polished to appeal to ordinary, 
nontechnical end users. This article gives you a glimpse of the 
engine. It explains how the Mozilla about:config URL opens 
up a world of obscure preferences that can be used to tweak 
the default setup. They’re an improbable collection and therein 
lies the beauty of Firefox if you’re a grease monkey or other- 
wise technical. At the end you’ll know a little more about 
Firefox, but only enough to be dangerous. 

Like any Linux-friendly piece of software, Firefox responds 
to preset environment variables. You can, for example, set the 
MOZILLA_FIVE_HOME or MOZ_PLUGIN_PATH variables 
prior to startup. They both work like the standard PATH, so no 
surprises there. The per-process space available for environ- 
ment variables is, however, limited, and a simple textual con- 
catenation of attribute-value pairs is a fairly inflexible way to 
store data. Firefox has a large set of runtime configuration 
options, and the environment isn’t a suitable storage area. 

Firefox configuration is stored in a small attribute-type- 
value database called the preference system. You can see a 
delta of this data set in the ~/.mozilla/firefox/*/prefs js file. 
That file holds only the nondefault values selected by the user. 
The rest of the preferences either are unstated or stated in 
install files that are part of the standard install. For me, they’re 
in /local/install/firefox/defaults/pref, because /local is my 
playpen of choice. 

For a technical person, this system is a bit problematic 
because the full list of preferences doesn’t appear anywhere on 
disk, and the standard way to change those preferences is to 
use the Firefox User Interface, which also is incomplete. That 
interface provides GUI elements (buttons, fields and check 
boxes) for only the most basic of the preferences available. 
Firefox isn’t trying to be Emacs, after all. The rest of the pref- 
erences have to be dug up from elsewhere. 

That other place is the special string about:config, which 
can be typed in the Firefox Location bar where the addresses 
of Web sites are entered. Briefly recall the taxonomy of W3C 
addresses: URIs (Universal Resource Identifiers) are a special 


case of IRIs (International Resource Identifiers). A URI either 
can be a URL (a Uniform Resource Locator) or a URN (a 
Uniform Resource Name). It’s URLs that we see all the time. 
They consist of a scheme (typically http), a colon (:) and an 
address (x.org). 

You can define your own scheme. Mozilla does that for 
“about”, which is used to access internal browser resources. Try 
about:cache, for example. The config resource is a hook into 
the preference system. When you type about:config, you’re 
navigating to a local resource just as you would navigate to a 
Web-based resource for an HTTP-based Web page. Figure 1 
shows the results of loading the about:config resource. 


file Edit View Go Bookmarks Tools Help 

S- d>- GF OB AU aroacontg [¥] Oc [GL 

Filter: [ how All ] 
Preference Name =] Status T Value isd 
accessibility accesskeycausesactivation Gefault boolean true Ss 
Accessiblity. browsewithe aret Gefault boolean false | 
accessibility tabfocus Gefault integer 7 

accessibility typeaheadtind Gofault boolean false 

accessibility. typeaheadfind autostart Gofault boolean true 

accessibility typeaheadtind enablesound Gefault boolean tue 

accessibility. typeaheadtind enabletimeout Gefault boolean ie 

accessibility, typeaheadtind flashBar Gefault integer 1 

acces sibility. typeaheadtind inks onty efault boolean false 

acces sibiity.typeaheadtind. soundURL Getault sting beep 
accessibaty.typeaheadtind staninksonty Getautt boolean false 
accessibélty.typeaheadtind timeout Gefauit integer $000 

acces siwity .uwsebrailledss play default stning 

accessibety usetexttospeech default string 

acces sibbty .warn_on_browsewnth< aret default boolean true 
advanced_always_oad_images Gelault boolean true 

advanced. maitip Gefault boolean false 

alerts heght default integer 50 

dents. slidelnerement Gefault integer 1 

alerts. slidelncrementTime Gefautt integer 10 

alerts. totabOpenTime Gefautt integer 4000 

ann elt it Atm cone eM ing> SS 
Done 


Figure 1. Firefox Showing the about:config Preferences 


This preference listing is also a form. Right-click on any 
preference to modify it or to state a new preference. Shorten 
the display by entering some text in the Filter box if you want. 
Many Firefox extensions can provide alternate interfaces to 
about:config. Feel free to experiment with them. 

Nothing is perfect, alas; about:config shows only prefer- 
ences that already have been set or specified anywhere. It does- 
n’t show preferences that have meaningful uses, which appear 
nowhere in the about:config list. To add a value for a new pref- 
erence that doesn’t appear, simply right-click anywhere in the 
main window, and select New from the context menu, then 
select the type of preference: string, integer or Boolean. 

Without further ado, here’s a tour of preferences to which 
the Firefox UI doesn’t give you access. Some are unmasked by 
about:config; some are not. They’re all relatively safe to exper- 
iment with. If you get into trouble, go back to about:config and 
unset the preference, or, in the worst case, shut down Firefox 
and delete the prefs.js file noted earlier. Everything said to this 
point also applies to other Mozilla products: the Mozilla 
Application Suite, Thunderbird and so on. Hesitate before 
deleting the Thunderbird prefs.js file. It contains important 
pointers to your e-mail. 


Tune the Use of Firefox Caches 

Here’s a simple preference to begin with. You can explicitly set 
the size of the memory part of Firefox’s Web cache. Here’s the 
preference, which has a type of integer: 
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browser.cache.memory.capacity 


Set it to the integral number of KB (Kilobytes) that you want 
as a maximum. By default, this preference is unstated and has a 
default value of -1, meaning “expand to fill available memory as 
required”. That’s a little like the Linux disk buffer cache. You 
might not want that if you’re running OpenOffice.org and Firefox 
simultaneously and working both applications hard. If you do 
change this preference, you’re going the way of Mac OS 9 and 
lower, where each application gets an explicit memory allocation. 
That could be a tuning burden if you go too far with it. 

The Mozilla Web cache (both memory and disk) is akin to 
the function of servers like Squid. That is, both types of cache 
are smart about the use of HTTP headers for caching purposes. 
If you’re in control of the local Web proxy, there’s probably 
more value in a huge Squid cache than there is in a really big 
local disk cache. A bigger Firefox cache still gives some per- 
formance boost though. You can alter caching use through the 
integer preference: 


browser.cache.check_doc_frequency 


This preference affects when Firefox accesses the cache, 
not how the cache itself works. The cache caches Web content 
every opportunity it gets, but if Firefox fails to check it, such 
opportunities will come rarely. Set the preference to 0 for one 


mark can acquire a small image (an icon), which is displayed to 
its left. Usually it contains a brand mark for the site of the cur- 
rently displayed Web page. You might not want this to happen. 
It makes your bookmarks file bigger, and (especially if you’re 
on dial-up) it causes an extra HTTP request when the page first 
is visited. That request fetches the icon for display. These two 
Boolean preferences, both with a default of true, can be set to 
false to disable those fetches and the subsequent icon display: 


browser.chrome.site_icons 
browser.chrome. favicons 


Set either one to false, and these icons are ignored. 
Bookmarks get the standard bookmarks icon, and elsewhere no 
icon at all appears. 

You might ask, “Why are there two preferences?” Part of 
the reason is because these icons can be specified in two ways. 
You can put a 16X16 pixel Microsoft Windows ICO format 
icon at this URL: www.example.com/favicon.ico. 

That icon will do for all pages on that site and is officially a 
Favorites Icon or favicon, to use Microsoft’s term. Alternately, 
you can add an icon per page, using a <link> tag and any 
16X16 ICO URL, like this: 


<link rel="SHORTCUT ICON" href="/images/mybrand.ico" /> 


check per URL resource per Firefox Web 
surfing session, | always to use the 
cache, 2 never to use the cache and 3 
(the default) when the HTTP caching 
rules says it’s a good idea to cache. 


Disable Scripting Limitations 

It’s possible for a Web page to implement 
a denial-of-service attack on the browser 
user. All you need is a Web page that runs 
a heap of JavaScript in an infinite busy 
loop. Firefox can’t accept user input when 
such intensive processing is going on. 
This integer preference causes script exe- 
cution to halt if it goes on too long. The 
units are seconds, and the default is 5: 


dom.max_script_run_time 


You might have Firefox set up to do 
some tricky Web spidering. You might 
have it acting as a bot or running continu- 
ously as an unattended console. In any of 
those cases, set this preference to -1, and 
Web page scripts run forever unmolested. 

The use of various asynchronous 
mechanisms, such as setTimeout(), sup- 
port long scripting timelines in a normal 
Web page. There’s no need for prefer- 
ence changes to support such things. 


Disable Favicons and Site Icons 
In the Firefox browser, a tab title, 
Location Bar URL or displayed book- 
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For some historical reason, that per-page use is called a 
Site Icon. 


The other reason for two preferences has to do with parallel 


development streams in the Mozilla Project, the mess that is 
bookmark file formats and a shortage of time for trivial 
cleanup tasks. We’re looking under the hood, remember. 


If you have a drop of graphics programming in your blood, you 


might spare a kind thought for L. David Baron, Robert 
O’Callahan and company —the core developers of the Gecko 
rendering engine inside Firefox. Displaying a Web page is a 
fiendish compromise among standards, performance and 
subjective user perceptions. One of the most difficult con- 
straints that Web pages impose is the need for incremental 
display. Show me the Web page as it arrives, not all at once at 


the end. This means constantly reflowing the displayed elements, 
which may be delivered out of order (a problem word processors 


don’t have). Worse, such documents nearly always are network- 
delivered with unreliable timing. 

To see the difficulty of this job, visit an image-intense Web 
site such as gamespot.com. Over broadband, the loading page 
jumps around in an agony of layout updates while chunky con- 
tent is dumped into the browser in no particular order. On dial- 
up, the process is slower and more familiar, but the amount of 
layout labour is even larger, because there’s more time to 
adjust each received fragment of page. Figure 2 shows the 


image-heavy GameSpot site, rendered while the images are 
still coming in. 


Figure 2. Close-up of a half-received Web site, jumping around as Firefox updates 


the layout. 
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Newly engineered mechanical design 
and features provide for an even 
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everywhere. 


Either way, once you get your hands on 
a Happy Hacking keyboard, 
you'll never want to let go. 


 ptu. fujitsu. com/en/hhkeyboard 


Given this kind of problem, you can imagine, therefore, 
that all kinds of hidden tuning preferences are available—if 
you know where to find them. This isn’t a tuning workshop, so 
here are two of the more interesting ones. 

It’s rare to want to tune down Firefox. (You should buy 
your nice mother a better computer.) It’s more likely that 
you've got lots of CPU and video grunt and want to use it. You 
probably click the mouse more than 2,000 times a day. 
Theoretically, you can shave a quarter of a second off your 
response time—that’s an extra coffee break a day —with this 
integer preference: 


nglayout.initialpaint.delay 


Set this to 0 (zero) milliseconds. It’s set to 250 by default. 
When a Web page starts to trickle in to the browser, Firefox nor- 
mally waits a bit after it has organised the page fragments in 
memory. It makes sense to bunch up the first few bits of content 
before attempting to show them. If you’ve got a quick eye, 
though, you can make it show what it’s got ready straightaway. 

Similarly, Firefox buffers up the incoming raw network con- 
tent before it bothers to break those bytes down into something 
ready for display. That’s another chunking process that saves the 
CPU but slows the output on a fast machine. Set this integer 
preference to, say, 5,000 (microseconds), and incoming network 
bytes are pushed to the display system much more quickly: 


content.notify.interval 


Doing so, however, makes Firefox work very hard schedul- 
ing updates in response to every drop of content. If you lower 
this value too much, that extra work merely results in the 
incoming data buffering farther back in the dataflow—perhaps 
behind a socket in the kernel— while Firefox thrashes around 
trying to complete a whole display update for every trivial 
character of text that appears. Lower the preference a bit at a 
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time, and watch the CPU with top(1), perhaps. 


Penetrate the Mystery of Trusted Codebases 
For a long time, Firefox, Mozilla and, before that, Netscape 
4.x, supported this hidden Boolean preference: 


signed.applets.codebase principle support 


Normally, it’s set to false—if you want you can set it to 
true. It’s a poorly understood preference, so here’s an explana- 
tion. First of all, the name is about as relevant as UNIX’s 
/etc—it’s so steeped in history that it’s basically wrong. There 
are no applets at work; there’s no Java at work. Mozilla has 
an amicable separation from Java, where Netscape 4.x was 
deeply wedded to that technology. Mozilla now handles its 
own security natively, in C/C++ code. It should be called 
signed.content.codebase_principle_support—one day, maybe. 

This preference is used to assist developers who work with 
digitally signed content. It has no relation to SSL or to PGP/GPG. 
An example of signed content is a Web site or Web application 
bundled up into JAR format and digitally signed in that form. 

Roughly speaking, two checks are done if digitally signed 
content arrives in Firefox. First, the digital certificate accompa- 
nying the content is checked against Firefox’s list of known 
certificate authorities (CAs). If that much is fine, the maker of 
that content is considered authentic. Firefox then lets the con- 
tent request extra privileges, ones that overcome normal brows- 
er restrictions, like access to the local disk. Usually that’s done 
through JavaScript. 

When those requests are made, Firefox throws up dialogs to 
the user. This is when the second check is done—it is done man- 
ually by the user. If the user agrees, the content can run with 
security restrictions dropped and your computer is exposed, or at 
least the currently logged-in Linux account is exposed. 

For a developer, these checks are a nuisance. It’s extra 
effort to buy (with real dollars) a suitable certificate for signing 
the content and set up the infrastructure. That should be neces- 
sary only when the site goes live. 

Instead of using a real digital certificate to sign the content 
under development, suppose you use a dummy certificate —one 
that’s not authentic. You can make a dummy certificate with 
the SignTool tool, available at ftp.mozilla.org/pub/mozilla.org/ 
security/nss/releases. Next, you tell the browser that it’s okay 
to accept such a dummy certificate. That’s what the above pref- 
erence does. 

Setting this preference weakens only the first security 
check. You always have to perform the user-based check—at 
least Firefox offers to remember what you said after the first 
time. Setting this preference means that Firefox accepts a 
dummy certificate from any Web site, so use this only on iso- 
lated test equipment. 


Read Your E-mail from Firefox 

Finally, here’s a simple way to set up Thunderbird access 
from Firefox. Set this Boolean preference to true to enable 
the mailto: URL scheme—the one that appears in Web page 
“Contact Me” links: 


network.protocol-handler.external.mailto 


An example of a mailto: URL is mailto:nrm@kingtide.com.au. 
Secondly, set this string preference to the path of the Thunderbird 
executable or to the path of any suitable executable or shell script: 


network.protocol-handler.app.mailto 


Digging out hidden preferences is a bit of a treasure hunt. 
Many are documented on Firefox-friendly Web pages, but the 
ultimate authority is the source code. Preference names are 
simple strings, and it’s possible to create your own. Many of 
the extensions that can be added to Firefox dump extra prefer- 
ences into the preference system. As long as the extension 
remembers to check and maintain those preferences, they have 
the same first-class status as the ones that have meaning for the 
standard Firefox install. 

Remember, you always can save a copy of your prefs.js file 
before an experimental session with about:config and restore 
the saved copy if things get too weird. Happy config hacking! 

Resources for this article: www.linuxjournal.com/article/ 
8139.8 


Nigel McFarlane (www.nigelmcfarlane.com) is the Mozilla com- 
munity’s regular and irregular technical commentator focused on 
education, analysis and a few narrowly scoped bugs. Nigel is the 
author of Firefox Hacks (O'Reilly Media) and Rapid Application 
Development With Mozilla (Prentice Hall PTR). 
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INDEPTH SUPERCOMPUTING 


Building a 
Bioinformatics 
Supercomputing 


Cluster 


Bioinformatics tools running in the OSCAR cluster environment turned 17 
recycled PCs into a system that improves performance for User queries. 
BY JOSH STROSCHEIN, DOUG JENNEWEIN AND JOE REYNOLDSON 


ioinformatics is an increasing- 

ly important scientific disci- 

pline that involves the analy- 

sis of DNA and protein 
sequences. The Basic Local Alignment 
Search Tool (BLAST) was developed by 
the National Center for Biotechnology 
Information (NCBI) to aid scientists in 
the analysis of these sequences. A public 
version of this tool is available on the 
Web or by download. Because the 
BLAST Web site is such a popular tool, 
its performance can be inconsistent at 
best. The University of South Dakota 
(USD) Computer Science 
Bioinformatics Group decided to imple- 
ment a parallel version of the BLAST 
tool on a Linux cluster by combining 
freely available software. The BLAST 
cluster, composed of old desktop PCs 
destined for surplus, improves searches 
by providing up-to-date databases to a 
smaller audience of researchers. 

Our cluster project began with an 
implementation of the Open Source 
Cluster Application Resources 
(OSCAR). OSCAR was developed by 
the Open Cluster Group to improve 
cluster computing by providing all the 
necessary software to create a Linux 
cluster in one package. OSCAR helps 
automate the installation, maintenance 
and even the use of cluster software. A 
graphical user interface provides a step- 
by-step installation guide and doubles as 
a graphical maintenance tool. 


WWW BLAST was created by 
NCBI to offer a Web-based front end for 
BLAST users and is the Web interface 
we selected for our BLAST cluster. 
WWW BLAST can be installed easily 
on a Linux machine running a Web 
server such as Apache. 

Although WWW BLAST enhances 
the usability of our cluster, mpiBLAST 
enhances the performance. mpiBLAST 
was developed by Los Alamos National 
Laboratories (LANL) to improve the 


performance of BLAST by executing 
queries in parallel. mpiBLAST is based 
on the Message Passing Interface (MPD), 
a common software tool for developing 
parallel programs. mpiBLAST provides 
all of the software necessary for parallel 
BLAST queries. 


Overview of a Query 

A Web-based query form marks the begin- 
ning of a BLAST search on our cluster. 
By default, WWW BLAST does not sup- 
port batch processing and job scheduling. 
Fortunately, OpenPBS and Maui are pro- 
vided by the OSCAR software suite to 
handle job scheduling and load balancing. 
With this support, the cluster can handle 
a larger user audience more easily. 
OpenPBS is a flexible batch queuing sys- 
tem originally developed for NASA. Maui 
extends the capabilities of OpenPBS by 
allowing more extensive job control and 
scheduling policies. 

Once the user submits the query, a Perl 
script provided by WWW BLAST is 
invoked. This script creates a unique job 
based on parameters from the query form. 
A job is a program or task submitted to 
OpenPBS for execution. Once the job has 
been submitted, OpenPBS determines 
node availability and executes the job 
based on scheduling policies. This job 
starts the local area multicomputer (LAM) 
software, which is a user-level, daeemon- 
based runtime environment. LAM is 
available as part of the OSCAR installa- 
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Figure 1. When a query comes in from the Web, WWW BLAST submits a job to OpenPBS. OpenPBS starts the job 


with mpirun and WWW BLAST formats the results. 
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tion and provides many of the services required by MPI programs. 
OpenPBS executes the job by utilizing the mpirun command, 
which executes the query on each node and gathers the results. 
WWW BLAST passes these results back to the browser, present- 
ing the user with a human-friendly report (Figure 1). 

Implementing cluster technology to perform parallel 
BLAST searches requires some software reconfiguration. 
Many of the tools we use work with default installations, but a 
parallel BLAST cluster requires extra configuration to get 
things running. 


Using OSCAR to Build a Cluster 

Clusters may be made up of a variety of PCs. The 17 nodes we 
used had 533MHz Intel Celeron processors, 256MB of RAM 
and 15GB of hard disk space—relatively low-end by today’s 
standards. Using the exact same hardware setup for all of the 
nodes is not vital for cluster setup, but doing so does reduce 
the time and effort needed to install and maintain your cluster. 
Once all of the hardware is ready, you must choose a machine 
to be the head node. If you are not using identical machines, it 
would be beneficial to use the most powerful as the head node. 
Because all of the PCs we used have the exact same hardware 
configuration, the choice of the head node was arbitrary. 

After you have obtained all the necessary PC hardware, you 
need to choose a Linux distribution. The OSCAR documenta- 
tion lists all of its supported distributions, and Red Hat 9.0 was 
our distribution of choice. Installing Red 


head PC, we downloaded the OSCAR 2.3.1 tarball. See the on- 
line Resources for installation documentation. We downloaded 
OSCAR into root’s home directory, because OSCAR needs to 
be installed as root. Installing the OSCAR software was as 
easy as running the following commands: 


tar -xvfz oscar-2.3.1.tar.gz 
cd oscar-2.3.1 

./configure 

make install 


After the installation completed, we needed to copy all of 
the Red Hat 9.0 RPMs to /tftpboot/rpm on our head PC. The 
OSCAR installation needs to install certain packages from this 
directory during its installation. We used the following com- 
mand to copy the files: 


cp /mnt/cdrom/RedHat/RPMS/*.rpm /tftpboot/rpm 

Once all of the RPMs are copied, the OSCAR installation 
can begin. OSCAR provides a graphical installation wizard for 
the installation. Substitute the name of your private network 


Ethernet adapter; ours was eth1: 


cd $OSCAR_HOME ./install_cluster eth1 


Hat was pretty straightforward; we chose 
the default options. Because the OSCAR 
software depends on specific versions of 
OS packages, you should not install any 
updates once the installation completes. 
Of course, this has many security impli- 
cations, which is why it is important to 
keep your cluster separated from the 
Internet by a firewall. 

Once Red Hat was installed on the 
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Figure 2. The OSCAR installation wizard lets you 
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After a few moments, the OSCAR installation wizard 
begins to load. This wizard provides a graphical user interface 
and an intuitive eight-step process to complete the cluster setup 
(Figure 2). The only variation in our installation procedure was 
to set the default MPI implementation to LAM/MPI instead of 
MPICH. We chose LAM because it is needed for mpiBLAST 
to execute properly. 

Clicking on step 2, Configure Selected OSCAR Packages, 
displays a small dialog (Figure 3). From there you can select 
the Environment Switcher button and choose LAM as the 
default for the installation (Figure 4). 

We followed the remaining steps as described in the 
OSCAR documentation to build and install a disk image for 
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Figure 3. Click on Config... to change environment to LAM. 
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Figure 4. Select LAM for default environment. 


the nodes. Once all of the nodes were installed and tested, we 
downloaded and installed mpiBLAST. 


Installing mpiBLAST for Parallel Searches 

We downloaded mpiBLAST and installed it according to the 
documentation provided in the README file. We created 
symbolic links for mpiblast and mpirun in our $PATH, and no 
further configuration of mpiBLAST was necessary. 

Once mpiBLAST was installed, we needed to download a 
database to search. For mpiBLAST to execute properly, the 
database needs to be in the FASTA format. NCBI offers an 
index for all of its databases on the NCBI Web site, and that 
index lists a FASTA subdirectory containing all of the databas- 
es in FASTA format. We downloaded a copy of the nr database 
to /usr/local/mpiBLAST/db/, an NFS-shared folder set up 
during the installation of mpiBLAST. mpiBLAST provides 
the mpiformatdb command, which formats the database into 
segments; the number of segments depends upon the number 
of nodes in the cluster. mpiformatdb places the segments it 
creates into a shared directory. This directory is defined in 
mpiblast.conf during installation and is utilized by all 
mpiBLAST programs. Here is an example of formatting 
the database: 


# /usr/local/mpiBLAST/bin/mpiformatdb -N 16 -i nr 


Here, -N specifies the number of database segments — usual- 
ly the number of nodes in the cluster—and -i specifies the name 
of the database file to format. In this example, the nr database is 
formatted into 16 individual segments. mpiformatdb does not 
copy the segments to the nodes, so a significant amount of 
overhead is incurred while each node copies its database seg- 
ment during the first query. Each node copies a segment only 
once. If the segment is erased from the node, it is copied again 
during the next query. 

To simplify management of the cluster, we wrote a script 
to download the newest version of a database, format it with 
mpiformatdb and distribute it to the nodes by executing a 
simple BLAST query. We scheduled this script with cron to 
run on a weekly basis. Once we were able to execute BLAST 
queries in parallel, we added the Web-based front end from 
WWW BLAST. 


Configuring WWWBlastwrap.pl 

mpiBLAST provides command-line BLAST searches and 
includes two files for interaction with a Web-based front end, 
blast.cgi and WWWBlastwrap.pl. These files are configured to 
work with WWW BLAST. So our next step was to download 
WWW BLAST into the /var/www directory, creating the 
/var/www/blast/ directory. Several configuration changes had 
to take place for WWW BLAST to submit BLAST searches for 
parallel execution. 

WWW BLAST provides its own directory for databases. 
Because we are using mpiBLAST to format the databases, we 
had to point WWW BLAST’s db/ directory to mpiBLAST’s. 
We then made the db/ directory in blast/ a symbolic link to the 
db/ directory for mpiBLAST. 

WWW BLAST provides a file called blast.cgi that executes 
a BLAST query. mpiBLAST provides a replacement blast.cgi 
that executes a parallel BLAST query by way of 
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WWWBlastwrap.pl. WWWBlastwrap.pl is a Perl script that 
creates a query for mpiBLAST to execute. WWWBlastwrap.pl 
creates this query in the form of another Perl script, populating 
it with the parameters from the Web form. This script is sub- 
mitted to OpenPBS. WWWBlastwrap.pl serves several func- 
tions, including parsing the parameters of the form, creating a 
script to be submitted to the cluster through OpenPBS for job 
queuing and load balancing and returning the BLAST search 
results in a browser-friendly format. 

We needed to make some changes to WWWBlastwrap.pl, 
however, to allow it to operate correctly in our environment. 
The first change that we made was to the global variables 
$scratch_space and $MPIBLASTCOMF. These two variables 
are used throughout the life of the script. $scratch_space holds 
the absolute path to a directory containing temporary files used 
during a query. $MPIBLASTCONF holds the absolute path to 
the directory containing the mpiBLAST configuration file. 
Both of these directories were set up during the installation of 
mpiBLAST. We set the two variables as follows: 


$scratch_space="/usr/local/mpiBLAST/shared/scratch"; 
$MPIBLASTCONF="/usr/local/mpiBLAST/etc/mpiblast.conf"; 


The next change involved changes to a series of if state- 
ments. These statements hard-code the NUMPROC environ- 
ment variables for the nt, nr and pdb databases. Because the 
databases need to be preformatted by mpiBLAST, the number 


of processors used per query is constant. We changed the 
default number of 20 to 16, which is the number of processors 
we use: 


if ($data{'DATALIB'} eq "nt"){ 
$data{'NUMPROC'} = 16; 
} 


Farther down in the script, the ValidateFormData subrou- 
tine is defined. This subroutine ensures that the user has select- 
ed a valid database/program combination and produces a 500 
server error if a valid combination is not selected. We changed 
the subroutine to allow the tblastx program to execute queries 
on the nr database by making the following change: 


#### BEFORE #### 
# Must be applied to a nucleotide database 
if ($data_ref->{'DATALIB'} ne "nt"){ 


###H AFTER #### 

# Must be applied to a nucleotide database 

if ($data_ref->{'DATALIB'} ne "nt" || 
$data_ref->{'DATALIB'} ne "nr"){ 


Later on, the script creates a string of command-line argu- 
ments for mpiBLAST and stores them in the variable $c_line. 
We needed to change the value passed to the -d option, which 
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tells mpiBLAST which database to search. By default, 
WWWBlastwrap.pl concatenates the number of processors to 
the database name and passes the result to the -d option. So 
if our database was named nr and we had 16 processors, it 
would pass nr16. Presumably this is done to allow more than 
one version of a database to be searched, that is, nrl16 for a 
16-segment database and nr8 for an 8-segment database. You 
either can name your databases in that manner or modify the 
script. Because we only ever have one version of a database, 
we chose to modify the script, removing the number of 
processors from the database name. The code changes are 
summarized below: 


#### BEFORE #### 
# Create the command line to pass to mpiBlast my 
$c_line = "-d $data_ref->{'DATALIB'}" 
"$data_ref->{'NUMPROC'} " 
"-p $data_ref->{'PROGRAM'} " 


###H AFTER #### 
# Create the command line to pass to mpiBlast my 
$c_line = "-d $data_ref->{'DATALIB'} " 

"-p $data_ref->{'PROGRAM'} " 


When running test queries, we received several 
lcl|tmpseq_@: Unable to open BLOSUM62 warnings in the 
OpenPBS error log. Pointing the environment variable 
BLASTMAT to the location of the BLAST matrices clears up 
these warnings, so we made the following change: 


#### BEFORE #### 

print SCRIPTFILE '#PBS -e '. 
"$data_ref->{'ERROR_LOG_FILE'}\n\n"; 

print SCRIPTFILE 'if(-e $ENV{PBS_NODEFILE} ){'."\n"; 


#H### AFTER #### 

print SCRIPTFILE '#PBS -e '. 

"$data_ref->{'ERROR_LOG FILE'}\n\n"; 

print SCRIPTFILE '$ENV{BLASTMAT} = '. 
'"Zusr/local/ncbi/data";'."\n"; 

print SCRIPTFILE 'if(-e $ENV{PBS_NODEFILE} ){'."\n"; 


We encountered the final alteration toward the end of the 
script in the HtmlResults subroutine. The code that directs the 
user to the results uses a default base URL, which almost cer- 
tainly is not what you want. Changing the base URL to point to 
our Web server allowed the client’s Web browser to display the 
results of the BLAST query: 


#### BEFORE #### 
print "Location: https://jojo.lanl.gov/blast/". 
"BlastResults/$results_file\n\n"; 


###H# AFTER #### 
print "Location: http://domain_name/BlastResults". 
"/$results_file\n\n"; 


Conclusions and Results 
Our local cluster is able to search an up-to-date database with 
fewer concurrent users and better overall throughput times than 


is the NCBI Web site. Simple wall-clock time trials were per- 
formed using our cluster and the NCBI Web site. We used 
eight simple queries consisting of protein and DNA sequences. 
A timer was started after submitting a query from the Web site 
and stopped once the results were displayed in the browser 
window. Trials on the NCBI Web site were performed at vari- 
ous times throughout the span of two weeks. All eight trials 
were averaged and compared to the cluster’s times. The pur- 
pose of timing the query from the point of submission until the 
results are displayed was to observe times that an actual user 
would incur. On average, the cluster took less time to complete 
a query. 


Figure 5. Our cluster, consisting of 17 recycled PCs, improves response times for 


users’ queries. 


Resources for this article: www.linuxjournal.com/article/ 
8140.8 
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ThinkPad T41), and Don has reviewed the HP NX5000. Doc has used 
Apple PowerBooks in the past. I’ve felt that trying to use Linux on a 
laptop was always a “hack”. Never really worked right. And, I’ve tried 
it more than once with more than one distro. So, which is the way to 
go? A PowerBook with a Power PC Linux Distro? An EmperorLinux 
hybrid? DIY and hope for the best? 


Karl 


That’s a tough one. We’re impressed with how all of HP’s hardware 
was working out of the box, that the system price didn’t include a 
proprietary OS “tax” and that we could get hardware and software 
phone support with one call. EmperorLinux will sell you a working 
Linux install on a wide selection of name-brand systems. Don and 
Jill both have IBM ThinkPads from them, but Don’s new Linux load 
is definitely on the DIY side. LinuxCertified also sells x86 Linux 
laptops, and Terra Soft will pre-install on Apple hardware, but we 
haven't reviewed either one.—Ed. 


Names, Please 

——————————— a 
The fact that most of the comments on the new Web site are posted by 
Anonymous makes reading the threads very difficult, particularly 
when contrary views are espoused. A good example is the thread fol- 
lowing this article: www.linuxjournal.com/article/7719. It’s hard 
to know who is saying what and who is new to the conversation. How 
about enforcing the entry of a name, even if it isn’t a real one? 


Nick Rout 


Xen, Please 


I would like to read about virtualization using Xen in Linux Journal. 
Are you considering publishing an article about this issue? 


Ralf Strandell 


Yes, we are.—Ed. 


Project Directory Permissions Tip 
a 
Good articles on setting up NIS [see Alf Wachsmann’s articles in the 
February, March and April 2005 issues]. There is one additional step 
that can be done when setting up the project area. After running the 
commands in the article, set the group sticky bit, which will cause 
new files to inherit the group ownership from the directory: 


chmod gts /projects/X/ 


That eliminates the need to use newgrp so much. But still, users need to be 
reminded about their umask. In this case, I’d recommend either 007 (no 
world access) or 002 (no world write access). I also like to set the owner of 
the /projects/X/ directory to be the point of contact for the project. 


Jon Miner® 
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If You Don’t 
Believe in 
DRM, It Can’t 
Hurt You 


“Keep your management off my digital rights” isn’t 
merely a slogan for freedom-lovers. It’s a smart IT 
decision. BY DON MARTI 


he last time I talked with Martin Fink, HP’s Vice 

President of Linux, the problem on his mind was digi- 

tal rights management (DRM) and if it could ever be 

compatible with free software. It’s a puzzling question, 
but Martin, like everyone else in the Linux business, can find 
better problems to work on. 

DRM is any technology that selectively disables features or 
affordances of a program or device in order to control use of a 
copy of information by the owner or authorized user of the 
copy. Think “unrippable” CDs for the home market or, on the 
office side, e-mail software that lets someone who sends you 
mail disable your forward or print function. 

A coin-operated jukebox is not DRM, and chmod 600 
my-secret-file.txt ona multiuser system is not DRM. Those 
technologies exclude only unauthorized users. DRM starts 
when the technology begins nit-picking about what you can do. 
For example, “play only on example.com’s media player” is 
DRM. Certainly such a system helps example.com hang on to 
its customers, but there’s no demand for it. 

In this crazy business of ours, every once in a while, com- 
panies go into a frenzy to sell technology that doesn’t work to 
customers who don’t want it. In the 1990s, did customers want 
overpriced UNIX from bickering vendors or stable-any-day- 
we-promise Windows NT? Sorry, neither one works for us. 
Support Linux, please. Or on-line services. AOL or 
Compuserve? We’ll take the Internet, thanks. 

When I met Intel VP Donald Whiteside a while back, he 
summed up the IT industry party line on DRM. IT compa- 
nies have to do DRM in order to work with the “consumer 
electronics”, movie and record companies who put together 
media standards. He said computer DVD drives are so 
locked down because the DVD Copy Control Association 
would have refused to license the DVD format for computer 
drives otherwise. 

Mr Whiteside is too modest about the IT industry’s nego- 


tiating position. People started shifting their leisure time 
from big-budget TV productions to the slow-loading, frus- 
trating Internet long before the big entertainment industry 
made it there. And the big copyright holders make pie-in- 
the-sky DRM demands, but a little Internet Movie Database 
search of actual DVD release dates shows a different story in 
the real world. 

The five top grossing movies for 1998, before the DVD 
descrambling story broke, took an average of 367 days after 
first release to come out in DVD format. By 2000, disinfecting 
DVDs was common knowledge in tech circles, but the top five 
movies for 2000 actually came out sooner after theatrical 
release—252 days. 

The story is the same for before and after the “DVD X 
Copy” application for Microsoft Windows—from 190 days in 
2002, before it came out, to 160 days during 2003 when it was 
available. Yes, the movie industry has an infringement prob- 
lem, and they might even be releasing DVDs sooner than they 
would want in order to compete with infringing copies. But the 
DRM features of the DVD itself are a pointless sideshow. 

The other hyped-up use for DRM is at the office. Deploy 
DRM and you can keep employees from forwarding embar- 
rassing e-mail to the media. That sounds like the answer to net- 
work-illiterate managers’ prayers, but if it’s juicy enough to 
leak, it’s juicy enough to write down and retype. Bill Gates of 
Microsoft, in an interview with gizmodo.com, tried to pitch 
DRM using the example of an HIV test result, which is literal- 
ly one bit of information. If you hired someone untrustworthy 
enough to leak that but unable to remember it, you don’t need 
DRM, you need to fix your hiring process. 

When I talk to working IT professionals, the trend is to 
open up information “behind the firewall” at a company—not 
lock it down. People aren’t worried about how to DRM-ize 
everything. Instead, I’m seeing enterprise Wikis. “Enterprise 
Wiki” still sounds funny, but companies with lots of trade 
secrets are rolling them out. “Edit this Page” adds value, and 
DRM has the opposite effect. 

Even the mighty US army is adopting discussion-friendly 
social software. Doc Searls sent me a link to Dan Baum’s great 
New Yorker article about Companycommand.com and 
Platoonleader.org, which two army captains started as a side 
project to exchange advice outside the normal channels. The 
army promoted them and brought the sites in-house. 

What if ’'m wrong, DRM really is the Next Big Thing, and 
the herd of IT vendors is right for the first time in history? 
Network effects practically guarantee that one DRM system 
will be a global standard. Picking the winner, though, depends 
on unpredictable DRM-circumvention efforts by security 
researchers worldwide. 

And when even a PC operating system can be an “essential 
facility” to be regulated on antitrust grounds, DRM that actual- 
ly worked would be too much power for governments to let 
anyone else have. Win the DRM war, and the prize is becom- 
ing a regulated industry like the pre-breakup AT&T. Martin 
Fink doesn’t want Linux users to miss the DRM boat. Pll miss 
that ship of fools any day. 

Resources for this article: www.linuxjournal.com/article/ 
8127.8 


Don Marti is editor in chief of Linux Journal. 
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© ABERDEEN 


WHO SAYS YOU CAN’T BE 


EVERYTHING TO EVERYONE? 


ABERDEEN STIRLING 51T 


1U 14" Extra-Short Depth 

¢ 14 inch depth allows back-to-back racking 

* Intel® Pentium 4° Processor with 800MHz 
FSB and Up to 2MB Cache 

* Intel E7221 Chipset with 64-Bit Support 

¢ Up to 4GB DDR2 533 Memory 

¢ Up to 1 x 400GB SATA Hard Drive 

* 260W AC Power Supply w/PFC 

¢ 5-Year Limited Warranty 


Starting at 


ABERDEEN STONEHAVEN A261 


ABERDEEN STIRLING 104T 


1U Short Depth 4 SATA 

* Intel® Pentium 4° Processor with 800MHz 
FSB and Up to 2MB Cache 

* Intel E7221 Chipset with 64-Bit Support 

* Up to 4GB DDR2 533 Memory 

¢ Up to 4 x 400GB (1.6TB) Hot-Swap SATA 
Hard Drives 

* 300W AC Power Supply w/PFC 

¢ 5-Year Limited Warranty 


Starting at 


ABERDEEN STIRLING X312 


Mie 


2U Dual Opteron™ 6 SATA/SCSI 

* Dual AMD Opteron™ Processors 
w/Hypertransport and 1MB Cache 

* AMD 8000 Series Chipset w/64-bit Support 

¢ Up to 16GB DDR-400 Reg. ECC Memory 

* Up to 6 x 400GB (2.4TB) Hot-Swap SATA or 
6 x 300GB (1.8TB) Hot-Swap SCSI Drives 

* 460W Hot-Swap Redundant Power Supply 

¢ 5-Year Limited Warranty 


Starting at 


ABERDEEN ABERNAS 106 


1U 640GB NAS 


* Intel® Pentium 4° Processor with 800MHz 
FSB and 1MB Cache 

¢ 512MB Low Latency DDR-400 Memory 

* 4x 160GB (640GB) Hot-Swap SATA Hard 
Drives (Available with 1.0TB or 1.6TB) 

* 300W AC Power Supply w/PFC 

* Microsoft Windows® Storage Server 2003 

¢ 5-Year Limited Warranty 


Starting at 


3U 12 SATA Storage Server 

* Dual Intel® Xeon™ Processors with 
800MHz FSB and 1MB Cache 

* Intel® E7520 Chipset with 64-Bit Support 

* Up to 16GB DDR2-400 Reg. ECC Memory 

* Up to 12 x 400GB (4.8TB) Hot-Swap SATA 
Hard Drives 

* 650W 2+1 Redundant Hot-Swap Power Supply 

¢ 5-Year Limited Warranty 


Starting at 


ABERDEEN ABERNAS 120 


1U 1TB Hardware-RAID NAS 

* Separate Internal Operating System Drive 

* DVD Recovery of OS 

* 3ware Hardware-RAID with Hot-Spare 

* 512MB Low Latency DDR-400 Memory 

* 4x 250GB (1TB) Hot-Swap SATA Hard Drives 
(Up to 1.6TB) 

* Microsoft Windows® Storage Server 2003 

¢ 5-Year Limited Warranty 


Starting at 


Intel, Intel Xeon and Pentium are trademarks or registered trademarks of Intel Corporation. Other 
trademarks are of their respective owners. |j008 


1U Dual Opteron™ 4 SATA/SCSI 


* Dual AMD Opteron™ Processors 
w/Hypertransport and 1MB Cache 


* AMD 8000 Series Chipset w/64-bit Support 


¢ Up to 16GB DDR-400 Reg. ECC Memory 


* Up to 4 x 400GB (1.6TB) Hot-Swap SATA or 


4 x 300GB (1.2TB) Hot-Swap SCSI Drives 
* 400W AC Power Supply w/PFC 
¢ 5-Year Limited Warranty 


Starting at 


ABERDEEN STONEHAVEN A141 ABERDEEN STIRLING 111 


1U Dual Xeon™ 4 SATA/SCSI 

* Dual Intel® Xeon™ Processors with 
800MHz FSB and 1MB Cache 

* Intel® E7520 Chipset with 64-Bit Support 

* Up to 16GB DDR2-400 Reg. ECC Memory 

* Up to 4 x 400GB (1.6TB) Hot-Swap SATA or 
4 x 300GB (1.2TB) Hot-Swap SCSI Drives 

* 560W Power Supply (Optional Redundant) 

¢ 5-Year Limited Warranty 


Starting at 


ABERDEEN STIRLING X524 ABERDEEN STONEHAVEN A124 


5U 24 SATA Storage Server 

* Dual Intel® Xeon™ Processors with 
800MHz FSB and 1MB Cache 

* Intel® E7520 Chipset with 64-Bit Support 

¢ Up to 16GB DDR2-400 Reg. ECC Memory 

* Up to 24 x 400GB (9.6TB) Hot-Swap SATA 
Hard Drives 

* 950W 3+-1 Redundant Hot-Swap Power Supply 

¢ 5-Year Limited Warranty 


Starting at 


ABERDEEN XDAS 253 


2U and 3U 8/12/16 Drive 

SATA-to-SCSI RAID Direct 

Attached Scalable Storage 

* Daisy Chain Units for Scalability 

* OS and Host Independent 

* Up to 16 x 400GB (6.4TB) Hot-Swap SATA 
Hard Drives 

¢ 5-Year Limited Warranty 


Starting at 


1U Quad Opteron™ HPC 

* Quad AMD Opteron™ 800 Series Processors 

« AMD 8000 Series Chipset w/64-bit Support 

* Up to 32GB DDR-400 Reg. ECC Memory 

* Up to 2 x 300GB (600GB) SCSI Hard 
Drives 

* 500W Power Supply 

* Ultra Cool with Superb Air Flow 

¢ 5-Year Limited Warranty 


Quads Starting at 


ABERDEEN ABERSAN 1300 


3U 2TB iSCSI SAN Storage 

* Intel® Xeon™ Processor at 3.0GHz with 
800MHz FSB and 1MB Cache (Dual 
Processor Option) 

¢ 512MB DDR400 SDRAM (Up to 4GB) 

* 2GB PC2-3200 ECC-Reg. DDR2 (Up to 16GB) 

* 8 x 250GB 7200 RPM Hot-Swap SATA 

* 760W Triple Redundant Hot-Swap Power Supply 

¢ 5-Year Limited Warranty 


Starting at 


888-297-7409 


www.aberdeeninc.com/linux 
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WhisperStationé 


Originally designed for a group of power hungry, demanding engineers in the automotive industry, 
WhisperStation™ incorporates dual 64-bit AMD Opteron™ or Intel@ EM64T™ processors, 

ultra-quiet fans and power supplies, plus internal sound-proofing that produce a powerful, but silent, 
computational platform. The WhisperStation™ comes standard with 2 GB high speed memory, an 
NVIDIA FX1300 PCI Express graphics adapter, and 20" LCD display. It can be configured to your 
exact specifications with either Linux or Windows, and specialized applications including Mercury's 
AmiraMOL*" PathScale's EKO Compiler Suite or the Intel Performance Tools. RAID is also available. 
WhisperStation™ will also make a system administrator very happy, when used as a master node for 
a Microway cluster! Visit www.microway.com for more technical information. 


Technology you can count on” 


